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Advanced  Education  and 
Technology 

Summary:  what  we  found  in  our  audits 

Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department, 
Alberta  Research  Council,  iCORE  Inc.,  and  the  Access  to  the  Future  Fund  are 
unqualified. 

We  found  no  exceptions  when  we  applied  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

Other  entitles  that  report  to  the  Minister 

•  Systems — University  of  Calgary 

The  University  of  Calgary  should: 

•  implement  an  Information  Technology  (IT)  governance  and  control 
framework — see  page  10. 

•  improve  controls  over  payroll  functions — see  page  12. 

The  University's  progress  implementing  some  of  our  previous 
recommendations  was  unsatisfactory.  We  therefore  repeated  our 
recommendations  on: 

•  improving  controls  in  its  PeopleSoft  ERP  (see  glossary — ERP) 
systems — see  page  13. 

•  improving  controls  over  sponsored  research  and  trust  accounts — see 
page  15. 

•  Systems — Grant  MacEwan  College 

We  repeated  our  recommendation  that  the  College  should  improve  its 
financial  processes  and  controls  to  increase  efficiency  and  accuracy  in 
financial  reporting — see  page  18. 

•  Systems — Grande  Prairie  Regional  College 

The  College  should  improve  its  financial  processes  and  controls  over 
financial  reporting  with  the  goal  of  increasing  efficiency  in  preparing  accurate 
internal  and  external  financial  reports — see  page  20. 
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•  Systems — Alberta  College  of  Art  and  Design 

The  College  should  improve  its  systems  by  strengthening  internal  controls  for 
computer  system  access  and  server  backups,  and  developing  a  computer  use 
policy — see  page  2 1 . 

•  Systems — University  of  Lethbridge 

The  University  should  implement  an  information  technology  control 
framework — see  page  23. 

•  Systems — University  of  Alberta 

The  University  should  obtain  assurance  that  its  IT  service  provider  maintains 
security  configurations  for  the  outsourced  services  as  contracted — see 
page  24. 

•  Performance  reporting — post-secondary  institutions  and  other  entities 

Our  auditor's  reports  on  the  financial  statements  of  post-secondary 
institutions  listed  in  3.2  of  the  Scope  section  are  unqualified. 

•  Performance  reporting — other  entities 

Our  auditor's  reports  on  the  financial  statements  of  the  Alberta  Heritage 
Foundation  for  Medical  Research,  Alberta  Foundation  for  Health  Research, 
and  Alberta  Heritage  Foundation  for  Science  and  Engineering  Research  are 
unqualified. 


The  government  created  the  Ministry  of  Advanced  Education  and  Technology  by 
combining  the  former  ministries  of: 

•  Advanced  Education 

•  Innovation  and  Science 

The  Ministry  includes  the  Department  of  Advanced  Education  and  Technology, 
Alberta  Research  Council,  iCORE  Inc.,  Access  to  the  Future  Fund,  and  public 
post-secondary  institutions. 

In  2006-2007,  the  Ministry  spent  approximately  $2.5  billion.  The  largest  expenses 


Overview  of  the  Ministry 


were: 


(millions  of  dollars) 


Assistance  to  post-secondary  institutions 
Post-secondary  facilities  infrastructure 
Support  to  post-secondary  learners 
Support  to  build  innovation  capacity 


1,678 
395 
110 
92 
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For  more  information  on  the  Ministry,  visit  its  website  at 
http://www.advancededandtech.gov.ab.ca/. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  Department's  systems  for  monitoring  private 
post-secondary  institutions  and  vocational  schools. 

We  followed  up  our  previous  recommendations  on  student  loans,  allowability 
of  the  learning  system,  and  the  tuition  fee  policy. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  the  Department,  Alberta 
Research  Council,  iCORE  Inc.,  and  the  Access  to  the  Future  Fund  for  the  year 
ended  March  3 1,  2007. 

We  completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 

3.  Other  entities  that  report  to  the  Minister 

3.1  Systems — post-secondary  institutions 

We  followed  up  on  our  previous  recommendations  after  management  had 
sufficient  time  to  implement  the  recommendations. 

3.2  Performance  reporting — post-secondary  institutions 

We  audited  the  financial  statements  for  the  year  ended  March  31,  2007  of  the 
following  entities: 

•  Athabasca  University 

•  University  of  Alberta 

•  University  of  Calgary  and  its  subsidiaries/related  entities,  The  Arctic 
Institute  of  North  America,  The  University  of  Calgary  Foundation 
(1999),  and  the  University  Technologies  Group 

•  University  of  Lethbridge 

We  also  audited  financial  information  of  the  Olympic  Oval/Anneau 
Olympique,  operated  by  the  University  of  Calgary. 

We  audited  the  financial  statements  for  the  year  ended  June  30,  2006  of  the 
following  entities: 

•  Alberta  College  of  Art  and  Design 

•  Bow  Valley  College 
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•  Grant  MacEwan  College  and  its  related  entity  Grant  MacEwan  College 
Foundation 

•  Grande  Prairie  Regional  College  and  its  related  entity  Grande  Prairie 
Regional  College  Foundation 

•  Keyano  College 

•  Lakeland  College 

•  Lethbridge  Community  College  and  its  related  entity  Lethbridge 
Community  College  Fund 

•  Medicine  Hat  College  and  its  related  entity  Medicine  Hat  College 
Foundation 

•  Mount  Royal  College  and  its  subsidiary/related  entities  Mount  Royal 
College  Day  Care  Society  and  Mount  Royal  College  Foundation 

•  Northern  Alberta  Institute  of  Technology  and  its  related  entities  the 
Northern  Alberta  Institute  of  Technology  Foundation  and  Fairview 
College  Foundation 

•  Northern  Lakes  College 

•  NorQuest  College  and  its  related  entity  NorQuest  College  Foundation 

•  Olds  College 

•  Portage  College 

•  Red  Deer  College 

•  Southern  Alberta  Institute  of  Technology 

3.3  Performance  reporting — other  entities 

We  audited  the  financial  statements  of  Alberta  Heritage  Foundation  for 
Medical  Research,  Alberta  Foundation  for  Health  Research,  and  Alberta 
Heritage  Foundation  for  Science  and  Engineering  Research  for  the  year  ended 
March  31,  2007. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Student  loans 

1.1.1     Designating  programs  as  eligible — implemented 

Background 

In  our  2004-2005  Annual  Report  (No.  15 — page  82),  we  recommended  that 
the  Department  of  Advanced  Education  consistently  use  graduation  and 
employment  data,  along  with  information  on  loan  relief  benefit  grant 
overpayments,  in  deciding  which  programs  will  continue  to  be  eligible  for 
student  funding. 
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Department 
concluded  on 
data  needed 


Our  audit  findings 

The  Department  implemented  the  recommendation  by  concluding  on  the  data 
needed  to  make  decisions  on  which  programs  are  eligible  for  student  funding, 
and  ensuring  staff  have  this  information. 

As  part  of  the  Pan  Canadian  Designation  Framework,  nine  provinces  and  the 
federal  government  have  adopted  loan  repayment  and  compliance  with 
program  administrative  requirements  as  the  eligibility  criteria  for  student 
funding.  Under  this  agreement  each  province  decides  which  programs  in  their 
jurisdiction  to  designate  as  eligible,  and  other  provinces  and  the  federal 
government  rely  on  their  work.  Programs  that  fail  to  maintain  a  65% 
repayment  rate  for  two  years  may  lose  their  designation  for  student  funding. 
Graduation  and  employment  rates  are  used  to  monitor  programs,  but  not  to 
designate  programs  as  eligible  for  student  funding. 

1 .1 .2     Department  compliance  tests — implemented 
Background 

In  our  2004-2005  Annual  Report  (No.  16 — page  83),  we  recommended  that 
the  Department  of  Advanced  Education: 

•  test  and  evaluate  the  risk  of  issuing  excessive  loans  and  loan  relief  benefit 
grants  caused  by  inaccurate  student  eligibility  information. 

•  automate  the  process  it  uses  to  decide  if  income  variances  are  due  to 
Department  grants. 


Department 
evaluated,  tested, 
and  concluded  on 
risk 


Our  audit  findings 

The  Department  implemented  this  recommendation  by  estimating  the  risk  of 
loan  overpayments  for  the  various  segments  of  its  loan  portfolio,  and  testing 
the  segments  to  evaluate  its  estimates.  This  testing  determined  which 
segments  have  the  greatest  risk  of  loan  and  grant  overpayments. 


The  Department  determined  that  it  is  not  feasible  to  fully  automate  the 
process  for  deciding  if  income  variances  are  due  to  its  grants.  Instead,  it  tests 
20%  to  25%  of  loans  to  the  higher  risk  segments  of  the  population  annually. 

1.2  Measuring  the  affordability  of  the  learning  system — implemented 
Background 

In  our  2002-2003  Annual  Report  (No.  31 — page  223),  we  recommended  that 
the  Department  of  Learning  (now  Advanced  Education  and  Technology) 
improve  one  of  the  core  performance  measures  (public  satisfaction  with  the 
affordability  of  the  learning  system)  that  reports  its  progress  in  delivering 
high  quality  learning  opportunities. 
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This  performance  measure  was  based  on  the  public's  perception  of 
affordability;  it  did  not  measure  whether  most  Albertans  could  afford  the 
learning  system. 


New  performance 
measure  added 
that  will  be  an 
indicator  of 
affordability 


Our  audit  findings 

The  Department  added  a  new  performance  measure  of  affordability  in  its 
2007-2010  business  plan:  the  ratio  of  total  debt  at  graduation  to  income  two 
years  after  graduation,  with  a  target  ratio  of  36%  for  2008.  This  measure  can 
only  be  an  effective  indicator  of  affordability  if  students  have  appropriate 
access  to  student  loans.  The  Department  also  took  actions  to  improve  access 
to  student  loans,  such  as  relaxing  restrictions  on  vehicle  ownership  and 
requirements  for  parental  contributions. 


1.3  Tuition  Fee  Policy 

1 .3. 1     Measurement  of  results — implemented 
Background 

In  our  2002-2003  Annual  Report  (No.  32 — page  224),  we  recommended  that 
the  Department  periodically  measure  whether  the  tuition  fee  policy  and  its 
related  programs  are  effective  in  making  post-secondary  education  affordable 
to  students. 


Department 
carried  out  a 
comprehensive 
review, 
developed  an 
affordability 
framework,  and 
developed  a  new 
performance 
measure 


Our  audit  findings 

The  Department  implemented  this  recommendation  through  a  review  of  the 
affordability  of  the  advanced  education  system,  the  development  of  a  new 
affordability  framework,  and  adoption  of  a  new  performance  measure  for 
affordability. 

The  Department  developed  its  affordability  framework  in  response  to  the  A 
Learning  Alberta  comprehensive  review  of  the  advanced  education  system. 
This  review  was  carried  out  by  a  steering  committee  appointed  by 
government,  and  included  reviews  of  tuition  rates,  government  funding,  and 
the  affordability  of  the  system. 


Tuition  fees 
indexed  to 
consumer  price 
index 


The  Department  also  implemented  a  new  tuition  fee  regulation  limiting  2006 
tuition  fees  to  2004  levels,  effectively  freezing  tuition  for  two  years,  with 
annual  increases  indexed  to  increases  in  the  consumer  price  index.  The 
Department  provided  additional  grant  funding  to  post-secondary  institutions 
to  make  up  for  the  lost  tuition  revenue,  thereby  reducing  institutions'  reliance 
on  tuition  revenue. 


Improved  access 
to  student  loans 


The  steering  committee  found  that  student  loan  living  allowances  had  not  kept 
pace  with  actual  costs.  As  part  of  the  framework,  the  Department  increased 
student  loan  living  allowances  by  14%,  and  relaxed  restrictions  on  vehicles 
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owned  by  students  and  requirements  for  parental  contributions  to  qualify  for 
student  loans. 

Under  the  affordability  framework,  student  loan  allowances  and  government 
grants  to  institutions  are  to  increase  annually  based  on  the  consumer  price 
index. 


To  evaluate  the  effectiveness  of  its  initiatives,  the  Department  is  measuring 
the  ratio  of  total  debt  at  graduation  to  income  two  years  after  graduation.  This 
measure  is  an  indicator  of  students'  ability  to  repay  their  loans,  and  should 
help  the  Department  to  identify  when  a  further  review  of  affordability  should 
be  carried  out. 

1 .3.2    Tuition  fee  policy  compliance — implemented 
Background 

In  our  2002-2003  Annual  Report  (No.  33 — page  226),  we  recommended  that 
the  Department  require  public  post-secondary  instiUitions  to  comply  with  the 
tuition  fee  policy.  We  also  recommended  that  the  Department  clarify  the 
methodology  for  applying  the  policy. 

The  tuition  fee  policy  at  that  time  restricted  tuition  fees  to  30%  of  the  net 
operating  expenditures,  and  set  a  fixed  amount  for  annual  average  tuition  fee 
increases.  Compliance  with  this  policy  could  only  be  measured  more  than  a 
year  after  the  related  tuition  revenues  were  set,  when  the  net  operating  results 
for  the  year  became  available,  and  unclear  instructions  on  allocating  overhead 
caused  variations  in  measurement. 


Our  audit  findings 

In  2006,  the  applicable  legislation  was  changed  to  remove  the  30%  restriction 
on  tuition  fees,  and  allow  tuition  fee  limits  to  be  set  by  regulation.  The  new 
tuition  fee  regulation  restricts  average  increases  in  tuition  to  the  increase  in 
the  consumer  price  index  in  the  previous  year.  The  new  measurement 
methodology  is  clearer,  and  less  subject  to  interpretation. 

Under  the  new  policy,  the  Department  evaluates  compliance  before  tuition 
fees  are  published.  Institutions  also  have  to  publish  their  expected  tuition  fee 
increases  for  the  next  four  years  and  consult  with  student  representatives  at 
least  twice  a  year  to  discuss  planned  increases. 

2.    Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department, 
Alberta  Research  Council,  iCORE  Inc.,  and  Access  to  the  Future  Fund  are 
unqualified. 


New  tuition  fee 
policy  with  a 
clearer 
methodology 


Department 
evaluates 
institution's 
compliance 
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Qualified  audit 
opinion  removed 


Net  assets  would 
have  increased  by 
$2.7  billion 


Internal  control 
matters  in  other 
sections 


Last  year,  we  qualified  our  opinion  on  the  financial  statements  of  the  Ministry 
because  it  did  not  include  the  public  post-secondary  institutions.  This  year,  we 
removed  our  qualification  because  the  Ministry  included  the  public 
post-secondary  institutions  using  the  modified  equity  basis  of  consolidation. 

The  modified  equity  method  of  consolidation  is  allowed  as  a  transition  to 
line-by-line  consolidation,  which  will  be  required  for  the  year  ending 
March  31,  2009. 

Under  line-by-line  consolidation,  the  Ministry's  capital  assets  would  have 
been  fully  consolidated  so  net  assets  at  March  31,  2007  would  have  increased 
by  approximately  $2.7  billion. 

We  had  no  exceptions  on  the  specified  auditing  procedures  report  on  the 
Ministry's  performance  measures. 

3.   Other  entities  that  report  to  the  Minister 
3.1  Systems — University  of  Calgary 

3.1 .1  University  of  Calgary  internal  control  systems — changed 
circumstances 

Background 

In  our  2002-2003  Annual  Report  (No.  35 — page  238)  we  recommended  that 
the  University  of  Calgary  improve  its  internal  control  systems.  In  prior  years, 
we  highlighted  internal  control  deficiencies  that  related  to  business  practices 
when  the  University  operated  old  (legacy)  information  systems.  The 
University  significantly  changed  its  business  and  financial  processes  after 
implementing  PeopleSoft  an  ERP  (see  glossary),  in  2006  and  abandoning 
many  of  its  old  systems.  As  a  result,  it  redesigned  many  internal  controls. 
Therefore,  the  University  has  substantially  dealt  with  the  specific  issues  noted 
in  our  2002-2003  Annual  Report. 

The  University  needs  to  continue  to  make  improvements  to  its  internal  control 
systems.  We  will  follow  up  these  improvements  through  the  University's 
progress  in  implementing  the  specific  recommendations  noted  below. 

3.1 .2  Information  technology  (IT)  governance  and  control  framework 
Recommendation  No.  18 

We  recommend  that  the  University  of  Calgary  implement  an  Information 
Technology  governance  and  control  framework. 
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Background 

IT  governance  is  a  structure  of  relationships  and  processes  to  direct  and 
control  an  enterprise's  IT  goals.  Responsibilities  designed  to  achieve  this  arc 
assigned  to  key  officials,  such  as  the  President.  Board  of  Directors.  Chief 
Information  Officer,  and  other  stakeholders. 

A  control  framework  is  a  set  of  fundamental  controls  that  must  be  in  place  to 
prevent  financial  or  information  loss  in  an  organization.  The  controls 
highlight  what  needs  to  be  done  at  various  levels  of  the  organization. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should: 

•  closely  match  IT  goals  with  business  goals. 

•  establish  a  formal  structure  for  deciding  on  IT  investments  that  will 
ensure  that  IT  solutions  meet  its  expectations,  are  properly  funded,  and 
have  adequate  resources  in  place  for  ongoing  support. 

•  establish  rules  for  managing  and  reporting  on  risks. 

•  adopt  an  IT  control  framework  and  processes  to  monitor  and  mitigate 
risks. 

•  define  duties  and  responsibilities  for  IT  management,  including  those  of 
the  Board  of  Directors. 

Our  audit  findings 

The  University  of  Calgary  IT  Team  understands  the  University's  goals  and 
the  risks  in  trying  to  reach  them.  But  it  manages  risks  on  an  ad  hoc  basis.  The 
University  does  not  have  a  plan  showing  the  IT  projects  it  wants  to  invest  in. 
It  normally  makes  IT  investments  on  an  as-needed  basis  when  funds  are 
available,  or  when  there  is  external  pressure  (such  as  special  projects  or 
grants)  to  invest  in  IT. 

In  this  year's  and  previous  years'  audits,  we  highlighted  weaknesses  related  to 
access,  change  management,  security,  and  IT  continuity  in  the  University's  IT 
control  processes.  The  University  could  have  prevented  or  effectively 
managed  deficiencies  in  IT  controls  with  a  sound  IT  control  framework  and 
good  governance  practices.  The  University  has  indicated  that  it  is  adopting  a 
recognized  framework  of  best  practice  approaches  intended  to  facilitate  the 
delivery  of  high  quality  IT  services,  as  part  of  a  comprehensive 
organization-wide  IT  control  framework.  To  be  effective,  IT  governance  and 
the  IT  control  framework  need  the  support  and  involvement  of  the  Board  of 
Governors  and  senior  management. 


Risks  managed 
on  an  ad  hoc 
basis 


Governance  and 
control 

framework  help 

prevent 

weaknesses 
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Implications  and  risks  if  recommendation  not  implemented 

Without  an  appropriate  IT  control  framework,  the  University  cannot  identify 
all  risks  to  its  IT  assets,  and  cannot  effectively  manage  or  mitigate  all  risks. 
Nor  can  it  show  that  it  has  done  so.  As  a  result,  the  entity  cannot  rely  on  its 
data,  applications,  or  systems  to  provide  complete,  accurate  and  valid 
information.  Ultimately,  it  cannot  ensure  that  it  meets  its  business  goals 
effectively. 

3.1 .3     Controls  over  payroll 
Recommendation 

We  recommend  the  University  of  Calgary  improve  controls  over  payroll 
functions. 


Background 

This  year,  the  University  implemented  the  payroll  and  human  resource 
module  in  PeopleSoft.  As  a  result,  business  processes  were  significantly 
changed  and  new  payroll  controls  were  implemented.  We  documented  the 
new  payroll  system  and  tested  key  controls  for  our  financial  statement  audit. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  adequate  controls  to  ensure  that  it  approves  and 
properly  monitors  information  on  new  employees,  job  termination  and  salary 
change  information. 


Weaknesses 
noted 


Our  audit  findings 

The  following  control  weaknesses  exist  in  the  areas  of  new  employees,  job 
and  salary  changes,  and  termination  control  processes: 


Poor  termination 
controls 


Termination  controls 

Of  25  terminations  tested: 

•  One  terminated  employee  continued  to  receive  pay  for  four  pay  periods 
after  her  termination  date.  The  University  has  not  recovered  $6,070  in 
overpayments  to  her. 

•  Four  terminated  employees  did  not  return  their  access  cards,  which 
remained  active  when  we  finished  our  audit  in  May  2007. 

•  Four  terminated  employees  did  not  return  their  SecurelDs,  used  to  access 
the  University's  network.  The  SecurelDs  remained  active  after  their 
termination  date. 


Four  former  employees  contacted  payroll  reception  asking  why  they  were  still 
being  paid  after  their  termination. 
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Payroll  module  access  controls 

Of  20  employees  tested  who  have  access  to  the  payroll  module,  5  have 
incompatible  functions  because  they  can  create  a  new  employee,  enter  and 
approve  time. 

Controls  for  new  employees,  employee  changes,  and  payroll  exception 
reviews 

There  was  no  evidence  that  supervisors  had  regularly  reviewed  information 
on  new  employees,  employee  changes,  payroll  exceptions  or  payroll  summary 
reports. 

Implications  and  risks  if  recommendation  not  implemented 

Without  adequate  controls  for  payroll  processes,  the  University  risks 
inaccurate  payments  and  fraud. 

3.1.4      PeopleSoft  security — recommendation  repeated 
We  made  this  recommendation  in  our  2005-2006  Annual  Report, 
Volume  2 — page  24.  We  have  repeated  this  recommendation  because  the 
University  did  not  take  sufficient  action  to  mitigate  PeopleSoft  security  risks 
this  past  year. 

Recommendation 

We  again  recommend  that  the  University  of  Calgary  improve  its  controls 
in  the  PeopleSoft  system  by: 

•  finalizing  and  implementing  the  security  policy  and  the  security 
design  document,  and 

•  ensuring  that  user  access  privileges  are  consistent  with  both  the 
user's  business  requirements  and  the  security  policy. 

Background 

In  April  2004,  the  University  started  a  three-year  project  to  move  several 
critical  business  and  financial  processes  to  PeopleSoft,  an  ERP  (see  glossary). 
In  2005,  the  general  ledger  and  materials  management  modules  moved  into 
PeopleSoft,  and  the  University  started  writing  a  security  design  document  to 
outline  the  process  and  define  the  rules  for  granting  users  access  to 
PeopleSoft.  In  2006,  the  payroll  and  human  resources  modules  were  moved 
into  PeopleSoft. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  reduce  the  risk  of  unauthorized  or  inappropriate  access 
to  its  programs  and  data  by: 

•  implementing  a  comprehensive  security  policy  and  maintaining  an 
up-to-date  security  design  framework  for  the  PeopleSoft  control 
environment. 


Incompatible 
payroll  functions 


Weak  review  of 

payroll 

information 
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Overall  IT  policy 
still  required 


Security  design 
document  not 
current 


Some  users  with 
too  many  roles 


•  controlling  access  to  programs  and  data  by  defining  and  enforcing 
procedures  to  identify,  authenticate  and  authorize  the  use  of  the 
University's  systems. 

•  establishing  procedures  to  ensure  that  only  authorized  changes  are  made 
to  user  accounts  (additions,  deletions,  changes)  and  that  they  are  made 
promptly. 

•  implementing  an  effective  control  process  to  periodically  review  the 
appropriateness  of  user  access  rights. 

Our  audit  findings 

With  respect  to  developing  and  implementing  the  enterprise  administrative 
systems  security  policy,  an  overall  IT  security  policy  is  still  required.  The 
security  policy  for  PeopleSoft  should  be  a  subset  of  the  overall  IT  security 
policy. 

The  PeopleSoft  security  design  document  was  initially  developed  in 
September  2005.  However,  important  sections  of  it  are  still  incomplete  or 
unimplemented.  PeopleSoft  assigns  privileges  based  on  "roles,"  which  are 
logical  groupings  of  individuals  related  to  their  type  of  work.  The  PeopleSoft 
security  design  document  is  not  current  because  the  roles  listed  in  it  are 
actually  fewer  in  number  than  the  actual  number  of  active  roles  extracted 
directly  from  the  system. 

We  identified  172  users  who  were  assigned  more  than  15  of  201  roles.  Three 
of  the  172  users  had  between  35  and  40  roles  assigned  to  them.  Users  with  too 
many  roles  may  encounter  conflicts  of  interests  and  incompatible  job  duties. 

We  found  644  users  who  could  change  historical  PeopleSoft  data  without  the 
system  showing  the  changes.  There  is  no  supporting  documentation  or 
business  reason  to  explain  why  so  many  users  had  this  privilege,  nor  were 
there  any  other  control  processes  over  the  assignment  of  this  change  authority. 

In  a  sample  selected  from  the  list  of  terminated  users  from  the  previous 

1 1  months,  3  people  still  had  access  to  PeopleSoft,  and  their  accounts  had  not 

been  locked  out. 


Implications  and  risks  if  recommendation  not  implemented 

Weak  access  controls  to,  and  within,  PeopleSoft  may  result  in  unauthorized 
access  to  confidential  data,  entry  of  an  unauthorized  transaction,  and  the 
accidental  or  deliberate  destruction  or  alteration  of  data.  Poor  controls  may 
also  lead  to  the  unauthorized  release  of  confidential  student  or  financial 
information.  Therefore,  the  University  may  not  be  able  to  rely  on  the 
completeness,  accuracy,  or  validity  of  the  data  produced  by  PeopleSoft. 
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3.1 .5     Controls  over  Sponsored  Research  and  Trust  accounts — repeated 
recommendation 

We  made  this  recommendation  in  our  2003-2004  Annual  Report,  page  257. 
We  now  repeat  it  because  progress  implementing  the  recommendation  has  not 
been  sufficient. 

Recommendation 

We  again  recommend  that  the  University  of  Calgary  improve  controls 
over  Sponsored  Research  and  Trust  accounts. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should: 

•  design  and  implement  controls  to  ensure  research  and  trust  expenditures 
are  appropriate  and  approved,  and  to  prevent  unauthorized  overspending 
on  research  projects. 

•  have  effective  processes  to  ensure  that  reporting  requirements  of 
sponsors  are  met. 

Our  audit  findings 

Control  weaknesses  persist,  though  there  was  no  evidence  in  the  expenses  we 
sampled  that  research  expenditures  were  inappropriate.  For  example: 

•  Management  confirmed  they  did  not  review  overspent  research  and  trust 
accounts  throughout  the  year  for  compliance  with  the  University's 
over-expenditure  policy.  At  year  end,  management  started  a  process  to 
review  overspent  projects  and  seek  approvals  to  meet  University  policy. 

•  The  University's  signing  authority  policy  is  deficient.  The  University 
allows  principal  investigators,  researchers  and  research  staff  to  approve 
purchase  of  goods  and  services,  but  its  policy  does  not  delegate  signing 
authority  to  them.  Only  department  managers,  deans  and  directors  have 
that  authority. 

•  Timely  reporting  of  spending  to  project  sponsors  did  not  occur  for  most 
of  the  year.  The  University  caught  up  with  reporting  to  sponsors  in  the 
last  quarter  of  the  fiscal  year. 

•  Management  confirmed  they  did  not  review  the  aged  research-and-trust 
receivables  listing.  We  found  errors  in  it. 

Implications  and  risks  if  recommendation  not  implemented 

Without  effective  approval  processes  and  enforcement  of  University  policy, 
research  and  trust  accounts  may  pay  for  non-allowable  and  improper 
expenses. 

The  University  may  lose  funding  for  its  research  initiatives  if  it  does  not  meet 
sponsors'  requirements. 
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3.1 .6     General  computer  controls — progress  report 
Background 

In  our  2005-2006  Annual  Report  (Volume  2 — page  20),  we  recommended 
that  the  University  of  Calgary  strengthen  the  overall  computer  control 
environment  by  clearly  defining  the  role  and  responsibilities  of  the  Chief 
Information  Officer  (CIO)  and  resolving  deficiencies  in  the  following  areas: 
defining  standards 
strategic  planning 
risk  assessment  and  mitigation 
business  continuity  and  disaster  recovery  planning 
day-to-day  operations 


What  the 
University  did 


Management  actions 

We  concluded  that  progress  in  implementing  the  overall  recommendation  was 
satisfactory.  The  following  are  examples  of  improvements  the  University 
made  this  past  year: 

•  defined  the  CIO's  roles  and  responsibilities.  The  CIO  has  developed  a 
4-year  IT  plan,  and  the  University  is  monitoring  compliance  with  the  plan 

•  worked  on  developing  a  new  Project  Development  Methodology  (PDM). 
The  PDM  includes  processes  and  procedures  to  ensure  that  applications 
and  systems  are  properly  designed,  developed,  implemented,  tested  and 
maintained 

•  developed  and  approved  University  of  Calgary  Information  Technology 
Master  Disaster  Recovery  Plan 

•  ensured  that  back  up  tapes  are  reasonably  protected  against  physical 
security  and  environmental  threats 


What  remains  to 
be  done 


Below  is  a  list  of  the  improvements  the  University  still  needs  to  make  to 
implement  the  recommendation: 

•  define  and  communicate  the  CIO's  role  and  authority  in  the  campus-wide 
IT  strategy  development,  operations,  and  funding,  not  just  central  IT 

services 

•  better  integrate  IT  requirements  into  the  overall  business  planning 
process 

•  develop  and  document  a  complete  IT  risk  assessment  plan 

•  implement  the  new  developed  Project  Development  Methodology 

•  expand  its  Emergency  Response  Plan  to  cover  all  areas  of  the  University, 
including  IT,  to  create  a  Business  Continuity  Plan.  It  must  ensure  that  the 
Master  Disaster  Recovery  Plan  supports  the  Business  Continuity  Plan 

•  complete  the  documentation  of  service  level  performance  measures  and 
then  monitor  them 

•  take  appropriate  steps  to  ensure  that  all  IT  users  are  aware  of  their  roles 
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and  responsibilities  for  internal  controls  and  IT  security 

•  ensure  that  policy  on  classification  of  business  information  assets  is 
followed 

•  document  and  implement  an  organization-wide  system  for  monitoring, 
logging,  and  responding  to  problems  and  incidents 

3.1 .7  Application  development  methodology — changed  circumstances 
Background 

In  our  2001-2002  Annua/  Report  (No.  44 — page  207)  we  recommended  that 
the  University  of  Calgary  implement  a  formal  methodology  to  design, 
develop,  implement,  test,  and  maintain  software  applications. 

Our  audit  findings 

This  year,  we  combined  our  testing  of  the  application  development 
methodology  with  our  general  computer  controls  and  reported  our  findings  in 
Section  3.1.6.  In  future  years,  we  will  no  longer  track  this  recommendation 
because  we  will  continue  to  test  and  report  on  application  development 
controls  as  part  of  annual  review  of  general  computer  controls. 

3.1.8  Management  special  investigation 

On  May  30,  2007,  management  informed  us  promptly  of  an  investigation  it 
had  started  on  a  number  of  journal  entries  processed  by  an  employee  at 
Campus  Infrastructure.  Management  became  aware  that  these  journal  entries 
may  be  inappropriate  through  a  disclosure  by  an  individual  under  the 
University's  Disclosure  Protection  Policy.  University  Audit  Services  assisted 
management  in  the  investigation. 

As  a  result  of  the  investigation,  management  concluded  that  certain  journal 
entries  were  inappropriate  and  corrected  the  University's  records.  The  journal 
entries  amounting  to  $5  million,  related  to  inappropriate  reclassification  of 
costs  between  expense  types,  operating  accounts  and  restricted  accounts.  This 
issue  related  to  proper  recording  of  transactions  in  the  University's  financial 
records;  there  was  no  loss  of  funds. 

After  reviewing  the  results  of  the  investigation  and  discussing  them  with 
management,  we  concluded  that  the  investigation  was  appropriate  and 
followed  the  procedures  in  the  University's  Disclosure  Protection  Policy. 
Management  and  Audit  Services  have  not  finished  the  investigation — we  will 
continue  to  monitor  its  progress. 


Management 
investigating 
issue  raised  under 
Disclosure 
Protection  Policy 


Certain  journal 
entries 

inappropriate 


Management 
took  appropriate 
steps 
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3.2  Systems — Grant  MacEwan  College 

3.2.1      Financial  processes — recommendation  repeated 

We  first  made  this  recommendation  in  our  2000-2001  Annual  Report 
(No.  39 — page  216).  We  have  found,  to  varying  degrees,  similar  issues  every 
year  since.  We  did  note  significant  improvement  in  the  last  couple  of  years, 
but  there  was  a  regression  this  year. 


Complete 
financial 
statements  not 
produced  timely 


Format  and 
review  of 
working  papers 
needs 

improvement 
Other  suggestions 


Recommendation  No.  19 

We  again  recommend  that  Grant  MacEwan  College  improve  its  financial 
processes  and  controls  to  increase  efficiency  and  accuracy  in  financial 
reporting. 

Our  audit  findings 

The  College  continues  to  experience  difficulty  in  producing  accurate  financial 
statements  within  scheduled  timelines.  We  started  our  year  end  audit  of  the 
June  30,  2006  financial  statement  audit  on  August  8,  2006.  We  expected  that 
we  would  have  draft  financial  statements  at  the  start  of  the  audit,  or  soon 
afterwards.  On  August  29,  at  our  request,  management  provided  us  with  an 
unfinished  and  unbalanced  working  copy  of  the  financial  statements.  We 
received  a  partially  reviewed  updated  draft  on  September  15,  2006,  but  we 
observed  that  some  significant  errors  remained  uncorrected.  We  finally 
received  the  first  balanced  and  fairly  complete  set  of  financial  statements  on 
September  20,  2006. 

One  of  the  ways  the  College  can  improve  effectiveness  and  efficiency  is  to 
improve  the  format  and  review  of  the  working  papers  that  management 
prepares  to  support  the  financial  statement  numbers.  We  identified  some 
specific  examples  to  management. 

Other  suggestions  we  noted  in  page  217  of  our  2000-2001  Annual  Report 
also  continue  to  be  relevant.  The  College  should  consider: 

•  significantly  reducing  the  number  of  accounts  in  the  general  ledger;  and 

•  how  it  can  automate  the  financial  statement  preparation  process.  The 
current  process  is  inefficient  and  can  be  prone  to  error  because  it  relies 
extensively  on  manual  processes.  Developing  an  ability  to  produce 
reports  directly  out  of  the  computer  systems  would  allow  for  an  easier 
and  more  accurate  accumulation  of  financial  data. 


What  remains 


To  implement  the  recommendation,  the  College  should  complete  balanced, 
accurate  and  reviewed  financial  statements  within  scheduled  timelines. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  effective  and  efficient  processes  that  ensure  timely  and  accurate 
reporting  of  the  College's  financial  information  at  a  reasonable  cost,  the  board 
or  executive  management  may  not  have  appropriate  information  to  make 
decisions,  or  too  much  money  may  be  spent  preparing  financial  information. 

3.2.2     Access  to  financial  information 
Recommendation — implemented 

We  recommended  that  management  ensure  that  only  employees  requiring 
access  to  journal  entries  receive  access. 

Background 

This  recommendation  resulted  from  our  audit  of  the  College's  June  30,  2006 
financial  statements.  The  college  has  since  implemented  this 
recommendation. 

In  1999,  the  College  began  to  scan  in  all  journal  entries  and  supporting 
documentation.  Originally  this  information  was  only  accessible  internally 
through  a  common  hard  drive.  In  2002,  this  information  was  made  available 
online  through  the  College's  Financial  Services  website.  Because  of  the 
decentralized  nature  of  the  College,  the  online  access  was  intended  to  allow 
access  for  all  the  departments  that  prepare  journal  entries. 

Criteria:  the  standards  we  used  for  our  audit 

Confidential  financial  information,  including  journal  entries  and  supporting 
documents  should  be  restricted  to  those  that  require  the  information  to 
perform  their  functions. 

Our  audit  findings 

In  August  2006,  we  attempted  to  access  the  online  journal  entries  through  an 
internet  connection  outside  of  the  College  and  found  that  we  had  access  to 
view  and  print  all  journal  entries  and  supporting  documentation  dating  back  to 
1999.  We  found  that  the  supporting  documentation  included  employee  and 
student  information  such  as  credit  card  numbers,  copies  of  cheques, 
signatures,  addresses,  as  well  as  College  information  such  as  bank  account 
numbers  and  deposit  receipts. 

We  were  informed  that  access  was  open  to  external  internet  connections  from 
2002  to  2003.  When  Financial  Services  informed  Information  Technology 
Services  about  the  unrestricted  access,  access  to  the  journal  entries  was  then 
limited  to  internet  connections  with  a  Grant  MacEwan  College  network 
address.  However,  this  still  enabled  students  in  the  College  computer  labs  to 
access  the  information.  In  July  2006,  conversion  to  a  new  portal  resulted  in 
access  to  the  journal  entries  to  be  open  to  an  external  internet  connection  once 
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again.  When  we  informed  Financial  Services  of  the  unrestricted  access, 
Information  Technology  Services  shut  down  the  internet  link  immediately. 

Update  from  our  June  30,  2007  financial  statement  audit — we  verified  that 
access  to  journal  entries  on  the  internal  network  is  properly  restricted.  In 
addition,  the  College  has  reviewed  what  type  of  supporting  documentation  is 
needed,  and  it  no  longer  includes  certain  pieces  of  confidential  information. 

Implications  and  risks  if  recommendation  not  implemented 

Confidential  information  could  be  obtained  by  dishonest  individuals  which 
could  potentially  impact  the  College's  image  and  expose  the  College  to 
liability  risk. 

3.3  Systems — Grande  Prairie  Regional  College 
Financial  processes 
Recommendation  No.  20 

We  recommend  that  the  Grande  Prairie  Regional  College  improve  its 
processes  and  controls  over  financial  reporting  with  the  goal  of 
increasing  efficiency  in  preparing  accurate  internal  and  external 
financial  reports. 

Background 

Management  is  responsible  for  preparing  financial  statements  and 
accompanying  notes  and  schedules  in  accordance  with  Canadian  generally 
accepted  accounting  principles.  In  fulfilling  this  responsibility,  management 
should  have  effective  internal  controls  over  financial  reporting.  The 
Controller  prepares  financial  statements  for  the  Grande  Prairie  Regional 
College  (the  College),  the  Grande  Prairie  Foundation,  and  the  consolidated 
financial  statements  for  the  College  and  Foundation. 

The  Board  receives: 

•  a  budget  for  the  upcoming  fiscal  year  to  approve,  usually  in  March  or 
April. 

•  annual  audited  financial  statements  in  October  to  approve. 
Criteria:  the  standards  we  used  for  our  audit 

The  College  should  have  effective  processes  and  controls  over  preparing 
accurate  and  relevant  financial  statements  and  reporting  financial  information 
to  the  College's  Executive  and  the  Board  on  a  regular  basis. 
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Management 
does  not  receive 
any  financial 
reports  during  the 
year 


Our  audit  findings 

Management  financial  reporting 

Deans  access  the  College's  financial  system  to  monitor  actual  expenditures 
against  their  respective  budgets.  The  Vice  President  -  Administration  and  the 
Controller  monitor  overall  spending  in  the  College.  However,  the  Executive 
Committee  does  not  receive  any  summary  financial  information  or  reports 
throughout  the  year  to  monitor  expenditures,  identify  possible  cost-overruns 
or  surpluses,  and  reallocate  spending  or  re-prioritize  projects. 


Annual  financial 
statements  not 
timely  and 
accurate 


Processes  and  controls  over  financial  statement  preparation 
The  College  had  trouble  producing  accurate  financial  statements  within 
scheduled  timelines.  The  College  did  not  have  draft  financial  statements 
available  for  us  when  we  began  the  final  phase  of  our  audit  fieldwork  on 
August  21,  2006.  However,  we  expected  they  would  be  available  within  a 
week  or  two.  We  received  several  updated  drafts,  but  we  observed  that  the 
cash  flow  statement  remained  unbalanced  and  other  errors  remained 
uncorrected.  We  did  not  receive  the  first  balanced  and  complete  set  of 
financial  statements  until  October  24,  2006. 


Many 

adjustments 
processed  after 
year-end 


The  College  also  processed  a  large  number  of  adjustments  after  year-end.  The 
lack  of  regular  management  reporting  during  the  year  could  be  the  cause  for 
this,  as  the  staff  and  management  do  not  identify  and  process  required 
adjustments  timely.  This  creates  extra  pressure  for  the  Controller  and  her  staff 
at  year-end. 


Implications  and  risks  if  recommendation  not  implemented 

Without  effective  and  efficient  processes  that  ensure  timely  and  accurate 
reporting  of  the  College's  financial  information  at  a  reasonable  cost,  the  board 
or  executive  management  may  not  have  appropriate  information  to  make 
decisions,  or  too  much  money  may  be  spent  preparing  financial  information. 

3.4  Systems — Alberta  College  of  Art  and  Design 
IT  Internal  Controls 
Recommendation 

We  recommend  that  the  Alberta  College  of  Art  and  Design  strengthen 
internal  controls  for  computer  system  access  and  server  backups.  We 
further  recommend  that  the  College  develop  a  computer  use  policy. 


Criteria:  the  standards  we  used  for  our  audit 

The  College  should: 

•     restrict  access  to  change  security  rights  for  computer  systems  to  systems 
or  security  administrators 
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ensure  each  user  has  a  unique  user  ID  for  computer  systems  and 
applications,  and  track  changes  made  by  each  user 
restrict  the  ability  to  add  or  remove  programs  from  computers  to 
authorized  individuals  only 

complete  backups  of  computer  servers  on  a  regular  basis  and  store 
backups  in  a  secure  location.  The  backup  restoration  process  should  be 
tested  on  a  periodic  basis 
have  a  computer  use  policy  that  is  enforced 


Weaknesses  in  IT 
controls 


Our  audit  findings 

We  reviewed  the  College's  information  technology  (IT)  controls  for  our 
financial  statement  audit  and  found  the  following  weaknesses: 


Improper  access 
and  sharing  of 
user  IDs 


Access  controls  need  improvement.  For  example: 

•  Four  employees  within  the  Finance  department  and  one  service  provider 
can  add  and  delete  users  as  well  as  change  access  privileges  for  existing 
users.  Also,  three  other  employees  share  one  user  ID. 

•  Certain  faculty  staff  members  have  the  ability  to  add  and  remove 
programs  from  their  computers.  With  this  level  of  access  it  would  be 
possible  for  these  individuals  to  remove  critical  software  and  hardware 
from  their  computers,  such  as  anti-virus  protection  software. 


Improper  storing 
and  testing  of 
server  backups 


No  computer  use 
policy 


Server  backup  procedures  need  improvement.  For  example: 

•  The  College  completes  backups  of  their  servers  on  a  daily  and  weekly 
basis.  However  the  backups  are  not  securely  stored  at  an  off-site  location. 
Instead,  they  are  stored  in  the  IT  department  on  an  employee's  desk. 

•  The  College  has  not  tested  the  backup  restoration  process  to  ensure  it  is 
functioning  appropriately  to  ensure  the  College  can  recover  data  in  the 
event  of  a  system  failure. 

•  The  College  does  not  have  documented  procedures  in  place  for 
completing,  storing,  or  restoring  server  backups. 

The  College  does  not  have  a  computer  use  policy  in  place  that  defines 
acceptable  use  of  the  College's  computer  systems 


Implications  and  risks  if  recommendation  not  implemented 

Without  sufficient  access  controls  in  place,  unauthorized  users  may  have 
access  to  the  College's  computer  systems.  In  addition,  insufficient  procedures 
and  processes  for  server  backups,  increase  the  risk  that  the  College  may  not 
be  able  to  recover  data  in  the  event  of  system  failure.  Without  a  computer  use 
policy  in  place,  there  is  a  risk  that  employees  may  not  understand  acceptable 
and  unacceptable  use  of  the  College's  computer  systems. 
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3.5  Systems — University  of  Lethbridge 
IT  Internal  Framework 
Recommendation  No.  21 

We  recommend  that  the  University  of  Lethbridge  implement  an 
information  technology  control  framework. 

Background 

A  control  framework  is  a  set  of  fundamental  controls  that  must  be  in  place  to 
prevent  financial  or  information  loss  in  an  organization.  The  controls 
highlight  what  needs  to  be  done  at  various  levels  of  the  organization. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  a  comprehensive  Information  Technology  (IT) 
control  framework  that  includes  appropriately  documented  and  implemented 
policies,  procedures,  and  IT  controls  to  safeguard  its  data  and  systems  against 
unauthorized  use,  disclosure,  modification,  damage,  or  loss. 

Our  audit  findings 

The  University  does  not  have  a  documented  information  technology  control 
framework.  Because  an  IT  control  framework  has  not  been  implemented, 
policies,  standards  and  guidelines  were  not  properly  documented,  did  not 
exist,  or  were  not  being  monitored  for  compliance.  For  example: 

•  The  University  has  not  documented  its  information  security  policy  and 
has  inconsistently  implemented  its  security  controls.  This  resulted  in  poor 
virus  protection,  inadequate  password  controls,  and  poor  user  awareness 
of  their  security  responsibilities.  In  addition,  users  of  its  public  and 
student  accessible  computers  are  able  to  connect  to  computers  that 
contain  sensitive  information. 

•  The  University  does  not  have,  or  follow,  documented  change 
management  procedures  or  update  its  IT  configuration  documentation  as 
part  of  its  changes. 

•  The  University  could  improve  its  management  over  IT  projects.  For 
instance,  we  noted  examples  where  systems  were  being  developed 
without  adequate  planning,  testing,  and  adherence  to  timelines. 

Implications  and  risks  if  recommendation  not  implemented 

Without  an  appropriate  IT  control  framework,  the  University  cannot  identify 
all  risks  to  its  IT  assets,  and  cannot  effectively  manage  or  mitigate  all  risks. 
Nor  can  it  show  that  it  has  done  so.  As  a  result,  the  entity  cannot  rely  on  its 
data,  applications,  or  systems  to  provide  complete,  accurate  and  valid 
information.  Ultimately,  it  cannot  ensure  that  it  meets  its  business  goals 
effectively. 


IT  Control 

weaknesses 


Inconsistent  use 
of  security 
controls 


No  formal  change 

management 

procedures 

Systems 

development  not 

properly 

controlled 
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3.6  University  of  Alberta 

3.6.1      Security  configuration  settings 
Recommendation 

We  recommend  that  the  University  of  Alberta  obtain  assurance  that  its 
IT  service  provider  maintains  security  configurations  for  the  outsourced 
services  as  contracted. 

Background 

The  University  has  contracted  with  a  service  provider  to  provide  a  significant 
number  of  services  under  an  Administrative  Applications  Management 
Services  Agreement.  Under  this  agreement,  the  information  security  controls 
agreed  to  by  the  University  and  the  service  provider  are  defined  within  an 
Information  Security  Controls  document.  The  document  also  specifies  that 
'health  checks'  will  be  conducted  periodically  by  the  service  provider  to 
verify  that  the  security  controls  that  were  in  place  at  the  contract  start  date  are 
maintained. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  controls  to  ensure  that  the  service  provider 
implements  and  maintains  agreed-to  security  configuration  settings,  and 
ensure  the  accuracy  of  the  reports  used  to  confirm  the  correctness  of  these 
settings.  In  addition,  the  University  should  conduct  timely  reviews  of  the 
system-generated  security  configuration  settings  implemented  by  the  service 
provider. 

Our  audit  findings 

A  comparison  of  security  configuration  parameters  in  the  Information 
Security  Control  document,  and  the  settings  tested,  and  reported,  through  the 
'health  check'  report  prepared  by  the  service  provider,  revealed  a  number  of 
differences.  For  example,  the  health  check  report  prepared  by  the  service 
provider  used  parameters  of  6  characters  and  126  days  for  testing  the  actual 
settings  for  password  length  and  expiry,  whereas  the  document  listed  the 
requirements  for  these  settings  as  8  characters  and  90  days  respectively.  The 
use  of  differing  security  settings  for  generating  system  health  reports  results 
in  generating  data  that  may  not  meet  the  University's  security  needs  and  may 
result  in  the  service  provider  not  complying  with  the  contract.  In  addition,  the 
service  provider  is  required  to  report  deviations  from  the  document,  however, 
because  these  deviations  were  not  detected  during  recent  'health  checks' 
executed  by  the  service  provider,  they  were  not  reported. 


Security 
configurations 
not  consistent 
with  the 
agreement 
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University  should 
improve  its 
monitoring  of  the 
agreement 


The  University  did  not  review  these  status  reports  on  a  timely  basis.  Evidence 
of 'health  checks1  performed  by  the  service  provider  should  be  requested  at 
least  on  an  annual  basis.  These  reports  should  be  reviewed  by  the  University 
against  key  information  security  controls  defined  within  the  Information 
Security  Control  document  to  ensure  that  the  control  settings  are  in 
compliance  with  the  agreed  information  security  controls. 

Implications  and  risks  if  recommendation  not  implemented 

Deviations  from  agreed-to  security  configuration  settings  may  reduce  the 
effectiveness  of  established  information  security  controls.  In  addition,  without 
regular,  timely  review  of  the  status  reports,  the  University  may  be  unaware  of 
reported  deviations. 


3.6.2      Internal  control  systems — progress  report 
Background 

In  our  2002-2003  Annua/  Report  (No.  34 — page  235)  we  recommended  that 
the  University  of  Alberta  improve  its  system  of  internal  control. 


University  has 
developed  a 
widely  accepted 
Internal  Control 
Framework 
model 


Management  actions 

In  prior  years,  we  recommended  that  the  University  adopt  a  strategy  to 
modernize  and  significantly  improve  its  control  systems.  We  concluded  that 
the  University  has  made  satisfactory  progress.  The  process  to  modernize  its 
control  systems  is  a  significant  undertaking  of  the  University:  it  has  been 
ongoing  for  a  number  of  years  and  is  still  a  multi-year  process. 

We  previously  stated  that,  as  a  first  step,  the  University  should  determine  the 
business  model  or  models  to  use  in  assigning  responsibility  and  authority  for 
the  implementation  and  enforcement  of  control  processes.  Management  has 
adopted  a  relevant  model,  as  it  has  developed  a  widely  accepted  Internal 
Control  Framework  model. 


New  polieies  and 

procedures 

developed 


Control 
assessment 
templates  being 
provided  to 
faculties 


The  University  continued  to  make  progress  improving  its  system  of  internal 
control.  For  example,  the  University  developed  a  number  of  polieies  and 
procedures  at  the  entity  level  and  at  the  process  level,  such  as  the  fraud 
policy,  and  procedures  on  allocating  the  purchase  price  of  significant  property 
acquisitions.  These  policies  and  procedures  will  help  ensure  consistency  of 
application  in  all  areas  of  the  University. 

Management,  with  help  from  Internal  Audit  Services,  has  distributed  a  control 
assessment  checklist  to  certain  faculties  to  learn  what  controls  and  processes 
they  have  in  place  and  who  performs  those  controls  and  processes.  This  will 
let  management  better  assess  the  control  environment  at  a  faculty  level  and 
decide  what  improvements  are  required.  Management  plans  to  have  85%  of 
the  checklists  completed  within  a  few  months.  Feedback  from  these 
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completed  checklists  will  help  focus  and  facilitate  improvements  in  processes 
and  controls  at  both  faculty  and  department  levels. 

What  remains  j0  fmish  implementing  this  recommendation,  the  University  must  fix  the 

remaining  gaps  and  deficiencies  in  internal  controls  identified  in  our  original 
recommendation,  such  as:  improving  controls  over  authorization  of  paying 
invoices  and  setting  up  employees  on  payroll  system;  implementing  a  new 
capital  asset  module;  and  finishing  implementing  the  business  resumption 
plan  and  disaster  recovery  plan. 

3.6.3     Net  assets — implemented 
Background 

In  our  1999-2000  Annual  Report  (No.  36 — page  228),  we  recommended  that 
the  University  of  Alberta  determine  the  level  of  net  assets  that  will  be 
required  on  an  ongoing  basis  to  ensure  that  programs  and  facilities  are 
supported  and  will  continue  to  be  supported. 

Our  audit  findings 

The  first  step  to  implementing  this  recommendation  was  to  eliminate  the  net 
asset  deficit,  which  the  University  did  in  2005.  The  University  finished 
implementing  this  recommendation  by  developing  information  and  strategies 
for  issues  such  as:  ongoing  maintenance  and  replacement  of  infrastructure 
assets;  human  capital  deficiency;  and  maintenance  of  the  purchasing  power 
for  internally  funded  endowments. 

3.7  Athabasca  University — Information  Technology  Strategic  Planning  for 
Administrative  Systems 

3.7.1      Information  technology  planning  and  governance — implemented 
Background 

In  our  2004-2005  Annual  Report  (No.  19 — page  97)  we  recommended  that 
Athabasca  University  improve  its  information  technology  planning  and 
governance  by: 

•  completing  the  definition  of  its  overall  information  technology  strategy, 
and  preparing  and  implementing  a  plan  to  achieve  the  strategy 

•  adopting  a  formal  information  technology  internal  control  system 
framework 

•  creating  an  overall  steering  committee  to  manage  information  technology 
Our  audit  findings 

The  University  has  prepared  an  Information  Systems  Plan  that  includes  more 
integration  between  systems  and  less  reliance  on  manual  intervention.  This 
plan  has  been  approved  by  the  Governing  Council  and  Academic  Council  and 
an  implementation  plan  is  under  development.  An  industry  accepted  internal 
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control  framework,  inclusive  of  continual  review  and  enhancement  processes, 
has  been  adopted  and  is  in  the  process  of  being  implemented.  There  is  an 
overall  governance  structure  in  place  to  manage  information  technology. 
Three  steering  committees  meet  on  a  regular  basis  and  the  University 
Executive  management  acts  as  an  overarching  steering  committee. 

3.7.2     Cost  tracking  system — implemented 
Background 

In  our  2004-2005  Annual  Report  (page  99)  we  recommended  that  Athabasca 
University  implement  a  system  to  quantify  the  costs  of  developing  and 
operating  Information  Technology  systems. 

Our  audit  findings 

The  University  has  adopted  a  project  methodology  for  systems  developments 
that  will  better  allow  management  to  track  the  status  of  projects,  including 
their  costs.  There  is  now  a  process  for  initiation,  approval,  management  and 
closure  of  projects. 

3.8  Performance  reporting — post-secondary  institutions 

Our  auditor's  report  on  financial  information  of  the  Olympic  Oval/Anneau 
Olympique,  operated  by  the  University  of  Calgary,  has  a  reservation  of 
opinion  because  the  statement  of  base  operating  costs  and  revenue  does  not 
include  all  the  revenues  and  expenses  for  maintaining,  managing  and 
operating  the  Oval  facility.  We  could  not  reasonably  determine  the  amount  of 
excluded  revenues  and  expenses. 


Oval's 

reservation  of 
opinion 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


27 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 — Audits  and  recommendations 


Agriculture  and  Food 


Agriculture  and  Food 

Summary:  what  we  found  in  our  audits 

Performance  reporting 

Our  auditor's  reports  on  the  Ministry  and  Department's  financial  statements  are 
unqualified. 

We  found  one  exception  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures — see  page  32. 

Other  entities  that  report  to  the  Minister 

•  Systems 

The  Agriculture  Financial  Services  Corporation  should: 

•  improve  their  loan  loss  methodology — see  page  32. 

•  assess  the  risks  and  implement  policies  for  wireless  technology — see 
page  34. 

•  improve  data  entry  controls  for  manual  Canadian  Agricultural  Income 
Stabilization  program  claims — see  page  35. 

•  Performance  reporting 

Our  auditor's  report  on  the  Agriculture  Financial  Services  Corporation  financial 
statements  is  unqualified. 


Ministry 
entities 


Overview  of  the  Ministry 

The  Ministry  consists  of  the  following  entities: 

•  Department  of  Agriculture  and  Food 

•  Agriculture  Financial  Services  Corporation 


The  Department  of  Agriculture  and  Food  also  includes  the  financial  results  of  the 
Agricultural  Products  Marketing  Council,  Alberta  Grain  Commission,  Farmers' 
Advocate  Office,  and  the  Irrigation  Council.  These  entities  do  not  produce  separate 
financial  statements. 


3  core 
businesses 


The  Ministry's  2006-2009  business  plan  includes  three  core  businesses: 

•  facilitate  sustainable  industry  growth 

•  enhance  rural  sustainability 

•  strengthen  business  risk  management 
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Ministry  The  Ministry  received  $531  million  in  revenue  in  2006-2007.  Its  largest  revenue 

received 

sources  are: 

$531  million 

(millions  of  dollars) 

Transfers  from  the  Government  of  Canada  $  25 1 

Premiums  from  insured  persons  132 
Interest  and  investment  income  97 
Fees,  permits,  licenses,  and  other  revenue  29 

Ministry  spent    in  2006-2007,  the  Ministry  spent  $1 .068  billion.  Its  largest  expenditures  are: 
$1  068  billion  (millions  of  dollars) 

Farm  income  support  $  573 

Insurance  2 1 6 

Environment  and  food  safety  63 

Infrastructure  assistance  5 1 

Industry  development  46 

Rural  services  37 

Farm  fuel  distribution  allowance  32 

For  more  detail  on  the  Ministry,  visit  its  website  at  www.agric.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  followed  up  our  previous  recommendations  on: 

•  establishing  measurable  targets  for  its  emergency  financial  assistance 
programs. 

•  strengthening  the  monitoring  and  review  of  employee  performance  and 
development. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  the  Department  for  the 
year  ended  March  31,  2007.  We  also  completed  specified  auditing  procedures 
on  the  Ministry's  performance  measures. 

3.  Other  entities  that  report  to  the  Minister 

At  the  Agriculture  Financial  Services  Corporation,  we: 

•  examined  the  Corporation's  loan  loss  methodology,  wireless  technology 
environment  and  systems  for  processing  manual  program  claims  for  the 
Canadian  Agricultural  Income  Stabilization  program. 

•  followed  up  our  2004-2005  recommendations  on  the  beginning  farmer  loan 
program,  improving  controls  over  the  administration  of  the  Canadian 
Agriculture  Income  Stabilization  program,  and  testing  advance  payment 
methodologies. 
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•  audited  the  financial  statements  of  the  Corporation 

•  completed  compliance  audits  for  the  Government  of  Canada. 


Our  audit  findings  and  recommendations 

1  Systems 

1.1  Measurable  targets — implemented 
Background 

In  our  2003-2004  Annual  Report  (page  81),  we  recommended  that  the 
Department  establish  measurable  targets  for  its  emergency  financial  assistance 
programs. 


Our  audit  findings 

The  Department  has  established  a  template  that  it  uses  when  new  programs  are 
developed.  The  template  requires  the  Department  to  document  the  measurable 
targets  that  it  will  use  to  evaluate  the  effectiveness  of  the  program. 


1.2  Monitoring  performance — implemented 
Background 

In  our  J 999-2000  Annual  Report  (page  48),  we  recommended  that  the 
Department  strengthen  the  monitoring  and  review  of  employee  performance  and 
development. 


New 

performance 
management 
system 
implemented 


Our  audit  findings 

The  Department  has  implemented  the  recommendation  by: 

•  implementing  a  new  performance  management  system,  including  a 
Performance  Management  Contract  template  for  managers  and  a  new 
employee  job  performance  agreement  for  all  other  employees. 

•  requiring — in  its  management  guidelines — employees  to  match  their  goals 
and  competencies  with  the  Department's  requirements. 

•  having  its  Human  Resource  Services  monitor  employee  plans. 

•  training  Department  supervisors  on  giving  feedback  to  employees. 


2.  Performance  reporting 

2.1  Financial  statements 

Unqualified  Our  auditor's  reports  on  the  Ministry  and  Department  financial  statements  for 

M<inor  s  the  year  ended  March  3 1 ,  2007  were  unqualified, 
report  J  n 
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2.2  Performance  measures 

We  found  one  exception  when  we  completed  specified  auditing  procedures  on 
the  Ministry's  performance  measures.  Data  was  not  reported  for  the  measure 
titled,  Percent  of  Alberta  production  produced  under  on  farm  food  safety 
programs:  beef  feedlots.  As  a  result,  we  were  unable  to  complete  our  specified 
auditing  procedures  for  this  measure. 

3.   Other  entities  that  report  to  the  Minister 
3.1  Systems 

3.1.1  Loan  loss  allowance  methodology  and  process 

Recommendation 

We  recommend  that  the  Agriculture  Financial  Services  Corporation 
improve  its  loan  loss  methodology  and  processes  by: 

•  developing  guidelines  to  assess  which  loans  are  impaired 

•  incorporating  historical  loan  loss  experience 

•  periodically  updating  data  used  in  the  methodology 


Loan  loss  has 
two  parts  - 
general  and 
specific 
allowance 


Background 

The  loan  loss  allowance  is  an  estimate  of  the  losses  that  exist  in  the  loan 
portfolio  at  a  specific  time.  The  loan  loss  allowance  has  two  parts — the  specific 
loan  loss  allowance  (SLLA)  and  the  general  loan  loss  allowance  (GLLA).  The 
Corporation  records  an  SLLA  for  loans  it  identifies  as  impaired  and  a  GLLA  for 
loans  at  risk  of  loss,  but  not  specifically  impaired. 


Watch  list  used 
to  identify 
loans  at  risk 
for  the  specific 
allowance 


The  Corporation  creates  a  specific  loan  loss  watch  list  quarterly.  The  list 
includes  loans  with  more  than  two  payments  overdue  and  loans  with  security 
values  insufficient  to  cover  the  total  debt  outstanding.  For  loans  on  the  watch 
list,  account  managers  update  the  security  values  to  current  market  values  and 
decide  whether  to  categorize  the  loan  as  impaired.  For  impaired  loans,  the 
Corporation  subtracts  the  security  value  from  the  debt  outstanding  to  calculate 
the  SLLA. 


Credit  risk 
indicators  used 
to  identify 
loans  at  risk 
for  general 
allowance 


The  Corporation  uses  credit  risk  indicators,  such  as  credit  scores,  debt  service 
ratio  and  net  capital  ratio  to  identify  loans  at  risk  of  loss.  For  these  loans,  the 
Corporation  subtracts  the  security  value  from  the  debt  outstanding  to  calculate 
the  GLLA. 

The  Corporation  recorded  an  SLLA  of  $12.1  million  and  a  GLLA  of 
$18.5  million  at  March  31,  2007. 
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Criteria:  the  standards  we  used  for  our  audits 

The  SLLA  and  GLLA  methodology  and  process  should  include: 

•  guidelines  for  identifying  impaired  loans 

•  historical  loan  loss  experience  to  determine  expected  default  rates  by  risk 
factor 

•  data  that  is  complete  and  current 
Our  audit  findings 

This  year,  the  Corporation  changed  its  methodology  for  calculating  loan  loss 
allowances.  We  have  assessed  the  methodology  and  identified  the  following 
areas  for  improvement: 


No  specific 
guidelines  for 
determining 
loans  at  risk  of 
loss 


Guidelines  for  calculating  loan  impairment 

For  the  SLLA,  the  Corporation's  methodology  states  that  a  loan  should  be  set  to 
"impaired"  if  the  Corporation  is  at  risk  of  loss.  However,  the  Corporation  has 
not  developed  specific  guidelines  for  assessing  risk  of  loss  by  loan  type.  Risk  of 
loss  is  general  and  open  to  interpretation;  without  further  guidance,  account 
managers  may  not  consider  all  appropriate  factors  in  their  assessment  or  apply 
these  factors  consistently. 


Historical  loan 
loss  experience 
not  included  in 
methodology 


Historical  loan  loss  experience 

Historical  loan  loss  experience  is  an  indicator  of  expected  losses.  However,  the 
Corporation  has  not  included  historical  loan  loss  experience  in  the  GLLA 
methodology  because  it  does  not  have  sufficient  data  to  know  why  the  loss 
occurred  and  the  risk  factors  involved.  If  the  Corporation  had  this  information,  it 
could  incorporate  it  into  the  methodology  and  calculate  expected  default  rates  by 
risk  factor. 


Credit  risk 
indicators  and 
security  values 
are  not  up  to 
date  and 
complete  in 
lending 
systems 


Underlying  data 

The  new  methodology  uses  credit  risk  indicators  and  security  values  to  calculate 
the  loan  loss  allowance.  However,  the  Corporation's  processes  do  not  ensure 
that  credit  risk  indicators  and  security  values  are  updated  regularly  for  all  loans. 
In  the  past  two  years,  the  Corporation  improved  its  lending  system  and  now 
records  the  credit  risk  indicators  as  well  as  security  values  in  the  lending  system, 
when  the  loan  is  approved.  Account  managers  update  the  indicators  annually  for 
commercial  loans,  through  the  annual  commercial  account  review.  However, 
they  do  not  update  these  indicators  for  farm  loans  annually — instead,  they 
update  these  loans  only  if  a  customer  requests  additional  funds  or  a  loan  is 
amended. 


We  found  that  47%  of  the  Corporation's  loan  customers  did  not  have  the  credit 
risk  indicators  in  the  lending  system.  For  54%  of  the  Corporation's  loan 
customers,  the  Corporation  had  not  updated  the  security  values  in  the  lending 
system  in  more  than  two  years. 
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Implications  and  risks  if  recommendation  not  implemented 

The  Board  may  not  have  sufficient  information  to  accurately  determine  the 
SLLA  and  GLLA.  If  the  allowances  are  not  accurate,  the  Corporation  may  be 
exposed  to  losses  that  it  is  not  aware  of  or  may  provide  for  losses  that  don't 
exist. 

3.1.2     Wireless  technology 
Recommendation 

We  recommend  that  the  Agriculture  Financial  Services  Corporation  assess 
the  risks  associated  with  wireless  networking  and  implement  policies  and 
improve  controls  to  mitigate  the  significant  risks  identified. 

Background 

Wireless  devices  are  used  to  connect  to  a  wired  computer  network  to  provide 
wireless  network  access.  Without  proper  configuration  of  the  network, 
unauthorized  users  can  connect  to  such  wireless  devices  and  gain  access  to  the 
network  and  intercept  information. 

Criteria:  the  standards  we  used  for  our  audit 

The  Corporation  should: 

•  assess  the  risks  associated  with  wireless  technology 

•  develop,  approve,  and  enforce  a  wireless  networking  policy 

•  monitor  its  network  and  buildings  for  unauthorized  and  unsecured  wireless 
networking  equipment 

•  prevent  its  computers  from  connecting  to  unsecured  wireless  networks 

Our  audit  findings 

The  Corporation  has  started  using  wireless  technology.  However,  we  could  not 
find  evidence  that  the  Corporation  had  analyzed  and  assessed  the  risks  of 
wireless  networking,  before  using  it.  As  well,  the  Corporation  does  not  have  a 
wireless  networking  policy  that  explains  configuration,  security,  and  monitoring 
requirements. 

The  Corporation  does  not  monitor  its  network  or  buildings  for  unauthorized  and 
unsecured  wireless  networking  equipment.  We  found  three  unsecured  wireless 
devices  connected  to  the  Corporation's  main  computer  network.  Two  of  the 
devices  did  not  have  encryption  enabled  and  sent  information  in  plain  text.  We 
also  found  four  computers  connected  to  the  wireless  devices.  Three  computers 
belonged  to  the  Corporation's  employees;  however,  the  Corporation  was  unable 
to  identify  the  origin  of  the  fourth  computer. 

The  Corporation  removed  the  wireless  devices  after  we  brought  these  significant 
risks  to  its  attention. 


No  policy  for 

wireless 

technology 
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Implications  and  risks  if  recommendation  not  implemented 

Without  understanding  the  risks  of  wireless  technology  and  implementing  a 
wireless  policy,  preventive  controls,  and  monitoring,  unauthorized  users  can 
access  the  Corporation's  network  and  sensitive  data,  such  as  personal  and 
financial  information. 


3.1.3      Manual  CAIS  claims 
Recommendation 

We  recommend  that  the  Agriculture  Financial  Services  Corporation 
improve  data  entry  controls  for  manual  Canadian  Agricultural  Income 
Stabilization  claims. 


CAIS  claims 

processed 

manually 


Background 

The  Corporation  processes  the  majority  of  Canadian  Agricultural  Income 
Stabilization  (CAIS)  claims  through  the  CAIS  system  (OMNI).  However,  when 
the  Corporation  receives  a  claim  early  in  the  calendar  year  following  the  claim 
year  (for  example,  it  receives  a  2005  claim  early  in  2006)  the  OMNI  system 
does  not  have  all  of  the  table  data  (prices)  in  it  to  process  the  claim.  The 
Corporation  processes  these  claims  manually.  For  2006  manual  claims,  the 
Corporation  paid  out  either  50%  or  80%  of  the  benefit,  depending  on  the 
commodities  in  the  claim.  When  OMNI  can  process  current-year  claims,  the 
Corporation  uses  it  to  reprocess  the  claim  and  then  pays  the  remaining  benefit. 


Call  center  employees  enter  the  CAIS  claim  information  into  spreadsheets  for 
manual  CAIS  claims.  The  claim  is  then  reviewed  by  verification  staff,  who 
ensure  that  the  call  center  employees  have  entered  participants'  data  correctly 
and  then  perform  the  required  verification  procedures.  Before  payment,  an 
approver — independent  of  data  entry  and  verification — approves  the  claim. 

Of  $239  million  in  CAIS  claims  (16,488  claims)  processed  between  April  2006 
and  February  2007,  the  Corporation  processed  27  claims  manually  totalling 
$1.8  million. 

Criteria:  the  standards  we  used  for  our  audits 

The  Corporation  should  input  manual  CAIS  claims  into  spreadsheets  accurately 
and  calculate  the  claim  in  accordance  with  program  rules  and  guidelines. 


Manual  CAIS 
claims  entered 
incorrectly 
resulting  in 
underpaid 
claims 


Our  audit  findings 

We  tested  a  sample  of  six  2006  claims  processed  manually.  Data  had  been 
entered  incorrectly  in  two  of  the  six  claims,  resulting  in  underpayments  of 
$77,000.  For  one  claim,  the  historical  expenses  were  entered  in  the  incorrect 
year  (2002  expenses  entered  for  2001).  For  another  claim,  data  entry  staff 
entered  the  ending  inventory  numbers  on  the  incorrect  commodity  code  line,  and 
there  was  also  a  transposition  error.  In  addition,  the  opening  unpaid  expenses 
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did  not  match  the  ending  unpaid  expenses  from  the  prior-year  verified  claim. 
The  call  center  staff  had  entered  these  claims,  and  at  least  two  independent  staff 
had  reviewed  them,  before  payment.  Although  data  entry  controls  are  in  place, 
they  are  not  operating  effectively. 

Implications  and  risks  if  recommendation  not  implemented 

Without  proper  verification  of  the  data  input,  manual  claims  could  result  in 
incorrect  payments  to  CAIS  participants. 

3.1.4.  Administering  the  Canadian  Agricultural  Income  Stabilization  program — 
implemented 

Background 

In  our  2004-2005  Annual  Report  (page  120),  we  recommended  that  the 
Agriculture  Financial  Services  Corporation  improve  controls  over  the 
administration  of  the  Canadian  Agriculture  Income  Stabilization  program. 

Our  audit  findings 

The  Corporation  has  implemented  the  recommendation.  In  2006-2007,  it  started 
using  the  new  CAIS  system,  which  has: 

•  automated  controls  built  in  to  verify  claim  information. 

•  improved  reasonability  reporting  and  documentation  controls.  The  new 
CAIS  system  requires  processing  staff  to  document  variances  and  provide 
support  for  amounts  used  in  the  calculation.  We  tested  a  sample  of 

10  claims  processed  through  the  new  system  and  found  sufficient 
documentation  to  explain  the  amounts  used  in  the  calculation. 

•  the  ability  to  share  information  between  CAIS,  insurance  and  lending 
computer  application  systems.  Sharing  of  information  between  systems  will 
assist  with  claim  verification. 

Corporation  has  also  improved  controls  in  the  following  areas: 
Testing  CAIS  spreadsheets — this  year,  the  business  analysis  acceptance 
group  tested  the  Microsoft  Excel  advance  spreadsheets  before  implementing 
them. 

Identification  of  "high-risk"  participant  criteria — the  Corporation  has 
developed  criteria  for  identifying  high-risk  CAIS  participants  and  the  Board 
recently  approved  the  implementation  of  random  CAIS  audits. 

3.1.5  Testing  of  advance  payment  methodology — implemented 
Background 

In  our  2004—2005  Annual  Report  (page  123),  we  recommended  that  before 
making  advance  payments  under  the  Canadian  Agricultural  Income  Stabilization 
program,  the  Corporation  thoroughly  test  its  methodology  for  calculating 
payments. 


Improvement 
in  CAIS 
internal 
controls  with 
new  CAIS 
system 


The 
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Our  audit  findings 

The  Corporation  has  not  implemented  any  new  advance  payment  methodologies 
this  year  but  the  federal  and  provincial  governments  have  agreed  to  a  new 
advance  methodology,  called  the  benchmark  margin  advance. 


Incentive 
eligibility 
requirements 
met 


3.1.6  Alberta  Farm  Loan  program  (formerly  Beginning  Farmer  Loan  program) — 

implemented 

Background 

In  our  2004-2005  Annual  Report  (pages  1 16-120),  we  recommended  that  the 
Agriculture  Financial  Services  Corporation: 

•  clearly  define  program  eligibility  criteria  and  improve  controls  over 
awarding  beginning  farmer  loans,  and 

•  improve  program  administration  and  management. 

Effective  April  I,  2006,  the  Corporation  incorporated  aspects  of  the  Beginning 
Farmer  Loan  (BFL)  program  in  the  new  Alberta  Farm  Loan  (AFL)  program. 

Our  audit  findings 

Program  eligibility — the  AFL  program  offers  a  1.5%  interest  rate  reduction  for 
the  first  five  years  as  a  beginning  fanner  incentive.  To  assess  if  an  applicant 
qualifies  for  the  incentive,  the  Corporation  uses  the  applicant's  net  worth  at  the 
time  of  application.  We  tested  14  loans  and  found  that  all  loans  sampled  met  the 
incentive  eligibility  requirements. 


Documentation 
in  accordance 
with  lending 
policy  and 
procedures 
manual 


Controls  for  awarding  loans — the  Corporation  has  updated  the  lending  policy 
and  procedures  manual.  The  manual  includes  the  documentation  requirements  to 
confirm  a  borrower's  financial  condition,  chattel  security  values,  and  arrears 
monitoring.  We  tested  a  sample  of  20  loans  and  found  that  the  documentation 
requirements  for  the  borrower's  financial  condition  and  chattel  security  values 
were  met.  We  also  tested  1 5  loans  in  arrears  and  found  the  Corporation  was 
monitoring  the  arrears  in  accordance  with  the  procedures. 


Objectives  of 
the  beginning 
fanner 

program  were 
met 


Program  administration  and  management — the  Corporation  has  analyzed  the 
results  of  the  2006  survey  of  customer  satisfaction  and  found  the  objectives  of 
the  Beginning  Fanner  Loan  Program  were  met.  The  Corporation  has  included  a 
question  on  the  Alberta  Farm  Loan  Program  in  the  2007  survey  of  customer 
satisfaction. 
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Unqualified 

auditor's 

opinion 


Unqualified 

auditor's 

opinion 


3.2  Performance  reporting 

Our  auditor's  report  on  the  Agriculture  Financial  Service  Corporation's  financial 
statements  for  the  year  ended  March  31,  2007  is  unqualified. 

3.3  Other  audits 

At  the  request  of  the  Agriculture  Financial  Services  Corporation,  we  audited  the 
following  schedules  related  to  the  Canadian  Farm  Income  Program.  We 
addressed  our  unqualified  auditor's  report  to  Agriculture  and  Agri-Food  Canada. 

•  Farm  Income  Assistance  Program  credit  amount  and  advances  received 
from  the  Government  of  Canada  for  200 1 . 

•  Farm  Income  Assistance  Program  credit  amount  and  advances  received 
from  the  Government  of  Canada  for  2002. 
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Children's 


Services 


Summary:  what  we  found  in  our  audits 


Three  core 
businesses 


Ministry  spent 
$900  million 


Systems 

Child  Intervention  Services — see  Volume  1,  page  63. 
Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department, 
and  10  Child  and  Family  Services  Authorities  are  unqualified.  We  found  one 
exception  when  we  completed  specified  auditing  procedures  on  the  Ministry's 
performance  measures — see  page  4 1 . 


The  Ministry  consists  of  the  Department  and  10  Child  and  Family  Services 
Authorities  (Authorities).  The  Department  supports  the  Authorities,  and 
co-ordinates  provincial  programs  such  as  the  Prevention  of  Family  Violence 
program.  The  Authorities  encompass  the  different  regions  of  the  province  and 
deliver  most  of  the  Ministry's  services. 

The  Ministry's  2006-2009  business  plan  describes  three  core  businesses: 

•  promoting  the  development  and  well-being  of  children,  youth  and 
families 

•  keeping  children,  youth  and  families  safe  and  protected 

•  promoting  healthy  communities  for  children,  youth  and  families 

In  2006-2007,  the  Ministry  spent  $900  million,  of  which  the  Authorities  spent 
$681  million.  The  following  programs  are  significant  expenses: 

(millions  of  dollars) 
Child  intervention  $  446 

Child  care  104 
Services  to  children  with  disabilities  101 
Family  and  community  support  67 
Program  support  services  40 
Prevention  of  family  violence  34 
Early  intervention  33 


Overview  of  the  Ministry 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


39 


Volume  2 — Audits  and  recommendations 


Children's  Services 


Ministry  received     The  Ministry  had  $305  million  in  revenue  in  2006-2007;  $243  million  of  this 
came  from  the  following  transfers  from  the  federal  government: 

(millions  of  dollars) 
Canada  Social  Transfer  $137 
Early  Learning  and  Child  Care  66 
Children  Special  Allowance  23 
Service  to  On-reserve  Status  Indians  17 

For  more  details  on  the  Ministry,  visit  its  website  at  www.child.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  followed  up  our  previous  recommendation  from  our 
2004-2005  Annual  Report  that  the  Ministry  sign  agreements  (whether 
new  or  renewal)  before  contractors  supply  goods  or  services.  We  also 
examined  the  Ministry  systems  for  Child  Intervention  Services. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  the  Department,  and 
the  following  10  Authorities  for  the  year  ended  March  31,  2007: 

1 .  Southwest  Alberta  Child  and  Family  Services  Authority 

2.  Southeast  Alberta  Child  and  Family  Services  Authority 

3.  Calgary  and  Area  Child  and  Family  Services  Authority 

4.  Central  Alberta  Child  and  Family  Services  Authority 

5.  East  Central  Alberta  Child  and  Family  Services  Authority 

6.  Edmonton  and  Area  Child  and  Family  Services  Authority 

7.  North  Central  Alberta  Child  and  Family  Services  Authority 

8.  Northwest  Alberta  Child  and  Family  Services  Authority 

9.  Northeast  Alberta  Child  and  Family  Services  Authority 

10.  Metis  Settlements  Child  and  Family  Services  Authority 

We  completed  specified  auditing  procedures  on  the  Ministry's 
performance  measures. 
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Our  audit  findings  and  recommendations 


Many  contracts  to 
provide  services 


1 .  Systems 

1.1  Timely  contract  approvals — implemented 
Background 

The  Department  and  the  Authorities  annually  enter  into  and  manage 
contracts  to: 

•  deliver  services  to  children  and  families  such  as  group  homes, 
residential  treatment  facilities  and  women's  shelters. 

•  receive  administration  services  such  as  information  technology 
maintenance  and  operation,  and  consulting  services. 


In  our  2004—2005  Annual  Report  (No.  24 — page  129),  we  recommended 
that  the  Ministry  sign  agreements  (whether  new  or  renewal)  before 
contractors  supply  goods  or  services. 


Ministry 

implemented 

recommendation 


Our  audit  findings 

The  Ministry  implemented  the  recommendation.  Authorities  started  their 
negotiations  with  agencies  earlier  and  started  to  tender  some  of  their 
contracts  for  more  than  one  year.  Almost  all  contracts  we  reviewed  were 
signed  before  the  contractor  started  delivering  services.  Others  were 
signed  shortly  after  services  started. 


2.  Performance  reporting 
2.1  Financial  statements 

Unqualified  Our  auditor's  reports  on  the  Ministry,  Department  and  Authorities 

au  nor  s  reports  financial  statements  for  the  year  ended  March  31,  2007  we  unqualified. 


2.2  Performance  measures 

Exception  We  found  an  exception  with  for  the  measure  Percentage  of  adults  staying 

at  government  funded  women 's  emergency  shelters  who  report  that  they 
are  better  able  to  keep  themselves  and  the  children  under  their  care  safer 
from  abuse  measure.  We  found  errors  arising  from  inconsistencies  in  the 
processes  to  compile  survey  data  for  the  measure.  Therefore,  we  were  not 
able  to  conclude  that  the  results  presented  were  reliable  and  comparable. 
Management  has  explained  in  the  Ministry  Annual  Report  that  the  data 
reported  for  this  measure  is  incomplete,  and  the  procedures  relating  to  the 
data  for  this  measure  are  being  developed  and  improved. 
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Education 

Summary:  what  we  found  in  our  audits 

Systems 

The  Department  should  establish  a  policy  for  developing  business  cases — see 
page  45,  and  quantify  the  cost  of  savings  generated  by  the  Learning  Resources 
Centre — see  page  46. 

Performance  Reporting 

Our  auditor's  reports  on  the  Department  and  the  Alberta  School  Foundation  Fund 
financial  statements  are  unqualified. 

exceptions    \ye  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

Performance  reporting 

•  Northland  School  Division  No.  61 

We  issued  an  unqualified  opinion  on  the  financial  statements  of  Northland 
School  Division  No.  61. 

•  School  jurisdiction  financial  reporting  and  audit  findings 

We  have  summarized  internal  control  weaknesses  and  financial  statement 
reporting  issues  from  our  review,  under  section  19(4)  of  the  Auditor  Genera/ 
Act,  of  the  audited  financial  statements  and  audit  findings  for  the  75  school 
boards  and  charter  schools — see  page  48. 


Unqualified 
Auditor's 
Reports 


Overview  of  the  Ministry 

The  Ministry's  2006-2009  business  plan  describes  one  core  business:  To  lead  and 
support  the  kindergarten  to  grade  12  education  system  so  that  all  students  are 
successful  at  learning.  The  core  business  includes  three  goals: 

•  high  quality  learning  opportunities  for  all 

•  excellence  in  student  learning  outcomes 

•  highly  responsive  and  responsible  education  system 
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In  2006-2007,  the  Ministry  spent  approximately  $5.6  billion.  The  largest  expenses 


The  Ministry's  revenue  was  approximately  $1.5  billion  in  2006-2007.  The  primary 
source  of  revenue  is  education  property  taxes  ($1.3  billion). 

For  more  information  on  the  Ministry,  visit  its  website  at 
http://www.education.gov.ab.ca/. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  audited  the  Department's  use  of  business  cases.  We  followed  up  our 
previous  year  recommendation  on  purchase  of  textbooks. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  Department,  and  the 
Alberta  School  Foundation  Fund  for  the  year  ended  March  31,  2007.  We 
completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 

3.  Other  entities  that  report  to  the  Minister 

We  performed  the  following  work  on  entities  that  report  to  the  Minister: 

•  We  audited  the  financial  statements  of  the  Northland  School  Division 
No.  61  for  the  year  ended  August  3 1 ,  2006. 

•  We  reviewed,  under  section  19(4)  of  the  Auditor  General  Act,  the  audited 
financial  statements  and  audit  findings  for  the  75  school  jurisdictions  and 
charter  schools  for  the  year  ended  August  31,  2006. 


are: 


Operating  support  to  school  jurisdictions 

School  facilities 

Teachers'  pensions 

Accredited  private  school  support 


(millions  of  dollars) 

$  3,969 


984 
483 
144 
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Our  audit  findings  and  recommendations 

1 .  Systems 
1.1  Business  cases 
Recommendation 

We  recommend  that  the  Department  of  Education  establish  a  policy  for 
developing  business  cases. 

Background 

On  August  31,  2005,  the  Department  of  Education  signed  a  contract  w  ith  a 
service  provider  to  develop  a  computer-based  student  assessment  tool.  The 
objective  is  to  improve  student  achievement. 

The  initial  term  of  the  contract  was  for  three  years,  with  a  minimum  fee  of 
$2.9  million  over  the  term  of  the  contract,  which  was  based  on 
150,000  students  taking  the  test  annually. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  a  policy  for  developing  business  cases  (see 
glossary).  The  policy,  including  guidelines,  should  deal  with: 

•  the  form  and  content  of  business  case  analysis 

•  the  size  of  projects  for  which  business  cases  are  required 

•  comparison  of  life  cycle  costs  of  all  reasonable  alternatives 

•  identification  and  analysis  of  risk  factors 

•  analysis  of  qualitative  factors 

•  cost-benefit  analysis 

•  assignment  of  responsibility  for  preparing  business  case  analysis 

The  policy  should  also  include  processes  to  challenge,  test  and  review  business 
cases  to  ensure  that  appropriate  due  diligence  is  carried  out. 

Our  audit  findings 

The  Department  did  not  prepare  a  written  business  case  for  the  smdent 
assessment  tool.  Consequently,  it  is  not  clear  whether  the  Department  took 
appropriate  steps  to: 

•  identify  and  evaluate  whether  any  alternative  approaches  were  available 
that  could  achieve  the  same  objectives  more  effectively — that  is  more 
efficiently  or  at  lower  cost 

•  evaluate  whether  the  benefits  of  proceeding  with  the  project  justified  the 
cost 

•  analyze  qualitative  factors,  such  as  how  the  tool  would  assist  the 
Department  in  achieving  its  goal  of  improving  student  achievement 

•  evaluate  and  deal  with  key  risks,  such  as  the  risk  that  the  project  may  not 
improve  student  achievement  or  the  risk  that  key  stakeholders,  particularly 
teachers,  will  not  accept  this  tool. 


Business  cases 
not  prepared 
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Also,  business  cases  were  not  prepared  for  information  technology  projects. 

Management  told  us  that  the  Department  did  not  prepare  business  cases  for  its 
projects  because  it  did  not  have  a  formal  policy  for  preparing  written  business 
cases. 

Implications  and  risks  if  recommendation  not  implemented 

Decision  makers  may  not  have  the  necessary  information  on  the  cost 
effectiveness  of  reasonable  alternatives.  Consequently,  the  Department  is  at 
risk  of  wasting  resources  by  not  achieving  its  objectives. 

1 .2  Purchase  of  textbooks — recommendation  repeated 

We  have  repeated  our  2005  recommendation  as  the  Department  has  yet  to 
quantify  the  cost  savings  generated  by  the  Learning  Resources  Centre. 

Recommendation  No.  22 

We  again  recommend  that  the  Department  of  Education  implement  a 
system  to  periodically  evaluate  the  savings  generated  by  the  Learning 
Resources  Centre. 

Background 

We  originally  made  this  recommendation  in  our  2004-2005  Annual  Report 
(No.27 — page  157).  We  also  recommended  that  the  Department  identify 
opportunities  for  additional  savings. 

The  Learning  Resources  Centre  (the  Centre)  purchases  textbooks  and  other 
resources  in  bulk  for  sale  to  schools.  Sales  in  Alberta  are  approximately 
$25  million.  The  Centre  is  able  to  access  greater  publisher  discounts  than  are 
offered  to  school  jurisdictions  individually,  and  additional  discounts  through  its 
Early  Order  Discount  (EOD)  program. 

The  Centre  incurs  costs  for  shipping  from  publishers,  redistribution  to  schools, 
overhead  costs  to  warehouse  and  manage  its  inventory  of  materials,  and 
production  costs  for  distance  learning  materials  for  the  Alberta  curriculum. 
The  Centre  passes  these  costs  on  to  school  jurisdictions  through  its  mark-up  on 
the  materials  it  sells. 

In  its  response  to  our  2004-2005  Annual  Report,  the  Department  committed  to 
carrying  out  an  overall  evaluation  of  the  Centre  in  2006-2007,  to  quantify  all 
cost  savings  realized  by  the  Centre,  and  identify  areas  for  further  savings. 


Economies  of 
scale 


Costs  flow 
through  to 
schools 
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Criteria:  the  standards  we  used  for  our  audit 

Periodically  the  Department  should  evaluate  the  savings  provided  to  the 
kindergarten  to  grade  12  (K-12)  sector  by  the  Centre,  to  determine  the  amount 
of  net  savings  for  the  sector,  and  to  evaluate  the  v  alue  of  the  Centre  to  the 
sector. 

Our  audit  findings 

The  Department  has  looked  for  further  opportunities  to  achieve  savings  for  the 
sector,  and  we  find  that  it  has  implemented  our  recommendation  to  identify 
opportunities  for  additional  savings. 

•  The  Department  considers  the  greatest  potential  savings  for  the  sector  to 
be  through  the  EOD  program.  To  increase  the  utilization  of  this  program, 
the  Department  improved  its  processes  to  approve  new  materials  promptly 
enough  to  allow  schools  to  order  them  through  the  program.  Also,  the 
Centre  encouraged  school  jurisdictions  to  make  better  use  of  the  program 
to  obtain  discount  prices.  Orders  under  the  EOD  program  to 

June  30,  2007  represent  43%  of  orders  for  the  year,  up  from  23%  of  orders 
in  the  previous  year. 

•  The  Department  also  considered  having  large  orders  for  books  shipped 
directly  from  publishers  to  schools,  to  eliminate  the  need  for  re-packing  at 
the  Centre's  warehouse,  but  concluded  it  would  not  achieve  savings  for 
the  sector.  The  Centre's  discounts  from  publishers  are  dependent  on 
combining  orders  into  fewer  and  larger  shipments,  and  large  orders  by 
school  jurisdictions  might  still  need  to  be  re-packed  by  those  jurisdictions 
for  shipment  to  individual  schools. 

•  The  Department  has  begun  working  with  some  post-secondary  institutions 
(PSIs)  to  identify  potential  savings  the  Centre  could  achieve  by  buying 
books  on  their  behalf.  The  Centre  has  identified  some  common  materials 
for  one  program,  negotiated  additional  discounts  from  the  publishers  based 
on  a  minimum  volume,  and  drafted  a  proposal  for  the  PSIs  to  consider. 
The  Centre  should  continue  to  promote  the  proposal,  and  look  for  further 
opportunities  to  produce  savings  through  buying  other  materials  for  other 
PS  I  programs. 

•  The  Department  is  also  continuing  to  develop  its  relationship  with  British 
Columbia  schools  to  build  a  stable  level  of  purchases  through  the  Centre. 

While  the  Department  may  have  increased  savings  for  school  jurisdictions 
through  the  expansion  of  the  EOD  program,  it  still  has  not  quantified  the 
savings  generated  by  the  Centre  for  the  learning  sector.  The  purpose  of 
quantifying  the  savings  is  to  prove  that  the  Centre  has  value. 
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To  implement  this  recommendation,  the  Department  needs  to  analyze  the  costs 
of  the  Centre  relative  to  the  costs  that  would  have  been  incurred  by  school 
jurisdictions  if  they  had  ordered  directly  from  publishers,  and  quantify  the  net 
savings  to  the  K- 1 2  sector. 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  periodic  analysis  of  the  cost  savings  generated  by  the  Centre,  the 
Department  cannot  be  certain  that  the  Centre  is  achieving  a  net  saving  for  the 
K-12  sector. 


Qualified  audit 

opinion 

removed 


Net  assets 
would  have 
increased  by 
$2.4  billion 

Unqualified 
opinions 


2.    Performance  reporting 
2.1  Financial  statements 

Last  year,  we  qualified  our  opinion  on  the  financial  statements  of  the  Ministry 
because  they  did  not  include  the  school  jurisdictions.  This  year,  we  removed 
our  qualification  because  the  Ministry  included  school  jurisdictions  using  the 
modified  equity  method  of  consolidation. 

The  modified  equity  method  of  consolidation  is  allowed  as  a  transition  to 
line-by-line  consolidation,  which  will  be  required  for  the  year  ended 
March  31,  2009. 

Under  line-by-line  consolidation,  the  Ministry's  capital  assets  would  have  been 
fully  consolidated  so  net  assets  at  March  3 1 ,  2007  would  have  increased  by 
approximately  $2.4  billion. 

We  issued  unqualified  opinions  on  the  Department  and  the  Alberta  School 
Foundation  Fund  financial  statements. 
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2.2  Performance  measures 

We  found  no  exceptions  when  we  applied  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

3.   Other  entities  that  report  to  the  Minister 

3.1  Review  of  school  jurisdiction  audited  financial  statements  and 

management  letters 

Background 

We  audit  one  of  the  school  jurisdictions.  For  those  jurisdictions  we  don't  audit, 
we  review  the  management  letters  sent  to  the  jurisdictions  by  their  auditors. 
Those  audits  were  not  designed  to  assess  all  key  systems  of  control  and 
accountability.  However,  the  auditors  tell  management  about  weaknesses  that 
come  to  their  attention  when  auditing  the  financial  statements.  We  also  review 
the  auditors'  reports  on  the  financial  statements. 

There  are  75  school  jurisdictions  comprising  62  school  boards  and  13  charter 
schools. 
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Our  audit  findings 

qualified  Auditors'  Reports — of  the  75  school  jurisdictions,  one  (one  of  the  t\\  o 

reported  in  2005)  received  a  qualified  auditors"  report  for  the  year  ended 
August  31,  2006.  The  report  was  qualified  because  the  auditor  was  unable  to 
verify  the  completeness  of  revenue  from  school  generated  funds.  The  Ministry 
is  working  with  the  school  jurisdiction  to  have  this  qualification  removed. 

One  auditor  reported  that  the  2006  (none  in  2005)  financial  statements  had 
been  prepared  on  a  disclosed  basis  of  accounting  rather  than  in  accordance 
with  Canadian  generally  accepted  accounting  principles  (GAAP).  The  school 
jurisdiction  used  a  disclosed  basis  of  accounting  because  it  disagreed  with  the 
Ministry  of  Education's  advice  that  an  asset  retirement  obligation  should  not 
be  recorded.  The  Ministry  is  discussing  this  issue  with  the  school  jurisdiction 
and  has  clarified  its  advice  on  asset  retirement  obligations  in  its  Guidelines  for 
School  Jurisdiction  Audited  Financial  Statements  for  the  Year  Ended 
August  31,  2007.  All  other  school  jurisdiction  auditors  reported  that  the  2006 
financial  statements  were  prepared  in  accordance  with  GAAP. 

Financial  statements — of  the  75  school  jurisdictions,  12  (30  in  2005)  had 
annual  operating  deficits  comprising  1 1  (28  in  2005)  school  boards  and  1  (2  in 
2005)  charter  school.  Annual  operating  deficits  are  acceptable  to  the  Ministry 
as  long  as  sufficient  accumulated  operating  surplus  funds  are  available  to  cover 
the  shortfall. 

Accumulated  operating  deficits  are  not  acceptable  to  the  Ministry.  School 
jurisdictions  with  accumulated  operating  deficits  are  expected  to  work  with  the 
Ministry  to  eliminate  the  accumulated  operating  deficit  in  accordance  with  a 
Minister  approved  deficit  elimination  plan.  Last  year,  we  reported  that  at 
August  31,  2005,  four  jurisdictions  had  accumulated  operating  deficits.  By 
August  31,  2006,  two  of  these  jurisdictions  had  eliminated  their  accumulated 
operating  deficits,  one  had  reduced  it  and  one  increased  it. 

Management  letters — the  following  is  a  summary  of  the  audit  findings  and 
recommendations  reported  in  writing  to  school  jurisdictions  by  their  auditors 
for  the  year  ended  August  31,  2006.  We  have  organized  the  summary  into 
areas  with  an  increased  incidence  of  findings  and  areas  with  fewer  findings 
than  previously. 

Areas  with  more  findings  than  in  the  previous  year 
a)    Cash  management — 19  jurisdictions  (including  6  of  the  9  reported  in 
2005)  need  to  improve  cash  management  processes  and  controls. 


Two 

accumulated 
operating 
deficits 
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b)  School-generated  funds — 26  school  jurisdictions  (including  14  of  the  18 
reported  in  2005)  need  to  improve  the  processes  used  to  collect,  record, 
spend  and  report  school-generated  funds. 

c)  Computer  security — 8  jurisdictions  (including  3  of  the  4  reported  in 
2005)  need  to  improve  computer  security  processes  by  reviewing  access 
privileges,  backing  up  data  more  frequently,  installing  intrusion  detection 
software  or  developing  security  policies. 

d)  Purchases — 21  jurisdictions  (including  7  of  the  18  reported  in  2005)  need 
to  improve  controls  over  the  purchase  cycle  such  as  the  implementation  of 
review  and  authorization  processes  over  purchases  and  payments, 
retention  of  supporting  documentation,  and  the  recognition  of  payables  at 
year  end. 

e)  Personnel  management — 6  jurisdictions  (including  3  of  the  4  reported  in 
2005)  need  to  take  action  to  deal  with  staff  shortages  and  training  or  they 
need  to  be  more  involved  with  decisions  made  at  the  school  level. 

f)  Board  approval — 6  jurisdictions  (including  3  of  the  4  reported  in  2005) 
need  to  ensure  that  board  approvals  are  obtained  for  matters  such  as  board 
minutes,  accounts  receivable  write-offs,  fund  transfers  and  expense 
reports. 

g)  Review  of  financial  information — 15  jurisdictions  (including  6  of  the  14 
reported  in  2005)  need  to  improve  their  review  of  financial  information 
such  as  bank  reconciliations,  journal  entries,  monthly  financial  statements 
and  variances  between  budget  and  actual  expenditures. 

h)  Policies  and  procedures — 13  jurisdictions  (including  5  of  the  12  reported 
in  2005)  need  to  update  or  implement  formal  procedures  and  policies. 

i)  Audit  committee — 1  jurisdiction  (same  one  as  reported  in  2005)  should 
consider  establishing  an  audit  committee. 

Areas  with  fewer  findings  than  in  the  previous  year 

a)  Budgetary  process — 2  jurisdictions  (including  1  of  the  3  reported  in 
2005)  need  to  improve  their  budgetary  processes. 

b)  Goods  and  Services  Tax — 5  jurisdictions  (including  1  of  the  6  reported  in 
2005)  need  to  review  their  processes  for  recording  GST  and  remitting  GST 
returns. 
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c)    Segregation  of  duties — 6  jurisdictions  (including  1  of  the  7  reported  in 
2005)  need  to  have  segregation  of  duties  over  the  authorization  and 
recording  of  transactions  or  the  custody  of  and  accounting  for  certain 
assets. 


d)  Capital  assets — 5  jurisdictions  (including  2  of  the  9  reported  in  2005) 
need  to  improve  the  recording  and  tracking  of  capital  assets. 

e)  Accounting  issues — 4  jurisdictions  (including  2  of  the  10  reported  m 
2005)  need  to  resolve  accounting  issues  relating  to  capitalizing  assets, 
writing  off  uncollectible  accounts,  and  posting  journal  entries  in  the  proper 
period. 

f)  Timeliness  of  financial  recording —  6  jurisdictions  (including  2  of  the  13 
reported  in  2005)  need  to  ensure  accounting  transactions,  accruals, 
receivable  statements  or  financial  statements  are  prepared  or  recorded  on  a 
regular  and  timely  basis. 

g)  Payroll — 10  jurisdictions  (including  7  of  the  22  reported  in  2005)  need  to 
improve  controls  over  the  accuracy  of  and  access  to  payroll  information. 


The  Ministry  contacts  all  jurisdictions  and  encourages  them  to  deal  with  the 
issues  raised  in  the  management  letters,  particularly  noting  recommendations 
repeated  from  prior  years. 
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Employment,  Immigration  and 
Industry 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  should  improve  its: 

•  use  of  exception  reports  to  manage  its  income  support  program  and  have 
the  compliance  audit  function  examine  their  use — see  pages  55  and  56. 

•  controls  to  prevent  duplicate  income  support  payments  from  being 
processed — see  page  57. 

•  capital  asset  policy  and  procedures.  These  are  not  detailed  enough  to  help 
in  deciding  if  a  purchase  is  a  capital  asset  or  a  current  year  expense — see 
page  58. 

The  Ministry  also  needs  to  obtain  independent  assurance  on  the  control 
environment  at  its  information  technology  service  providers — see  page  60. 

Performance  reporting 

Our  auditor's  report  on  the  Ministry  financial  statements  is  unqualified  and  we 
found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

Performance  reporting — Workers'  Compensation  Board  (WCB) 
We  issued  an  unqualified  auditor's  opinion  on  the  financial  statements  of  WCB 
for  the  year  ended  December  31,  2006.  Also,  we  found  no  exceptions  when  we 
completed  specified  auditing  procedures  on  WCB's  performance  measures  in  its 
accountability  framework. 


Overview  of  the  Ministry 

Ministry  entities       jfe  Ministry  delivers  programs  and  services  through  the  Department  of 

Employment,  Immigration  and  Industry,  the  Alberta  Labour  Relations  Board, 
the  Appeals  Commission  for  Alberta's  Workers'  Compensation,  and  the 
Workers'  Compensation  Board.  The  Northern  Alberta  Development  Council's 
expenses  are  included  in  the  Ministry's  financial  statements. 
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Ministry  spent 

$888 

Million 


In  2006-2007,  the  Ministry  spent  $888  million  on  the  following: 

(millions  of  dollars) 

People  and  Skills  Investments  $  695 

Industry,  Regional  and  Rural  Development  130 

Workplace  Investments  29 

Labour  Relations  and  Adjudication  3 

Workers'  Compensation  Appeals  9 

Other  22 


Ministry  received 
$238  million 


The  Ministry  received  $238  million  in  2006-2007,  $190  million  of  which  came 
from  the  following  transfers  from  the  Government  of  Canada: 

(millions  of  dollars) 
Labour  market  Development  Agreement  Benefits  $  1 1 8 

Canada  Social  Transfer  45 
Rehabilitation  of  Disabled  Persons  25 
Canadian  Agriculture  Skills  Services  2 


WCB's  financial 
results 


WCB's  financial  results  are  reported  for  the  calendar  year  and  are  not 
consolidated  with  the  Ministry.  Its  financial  results  are  summarized  as  follows: 

(millions  of  dollars) 

Revenue  $  1,724 

Expenses  974 
Assets  6,785 
Liabilities  4,972 
Reserves  and  fund  balance  1,813 


For  more  information  on  the  Ministry  and  its  programs,  see  its  website  at 
www.gov.ab.ca/eii.  For  more  information  on  WCB  and  its  programs,  see  its 
website  at  www.wcb.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .    Performance  reporting 

We: 

•  audited  the  financial  statements  of  the  Ministry  for  the  year  ended 
March  31,  2007. 

•  audited  the  March  3 1 ,  2007  Labour  Market  Development  Claim  and 
the  March  3 1 ,  2006  Employability  Assistance  for  People  with 
Disabilities  Claim. 

•  completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 
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2.    Other  entities  that  report  to  the  Minister 

2.1  Performance  reporting — Workers'  Compensation  Board 

We  audited  the  financial  statements  of  the  Workers  C  ompensation  Board 
for  the  year  ended  December  31,  2006.  We  also  audited  the  schedule  of 
administrative  charges  on  WCB  for  the  year  ended  December  3  1 .  2006. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Income  support  program — exception  reports 
Recommendation 

We  recommend  that  the  Ministry  of  Employment,  Immigration  and 
Industry  improve  the  use  of  exception  reports  to  manage  the  income 
support  program  by: 

•  identifying  exception  reports  available. 

•  assessing  if  the  exception  reports  identify  key  program  risks. 

•  identifying  the  review  and  follow-up  requirements. 

Background 

The  Ministry  has  developed  a  series  of  exception  reports  to  give 
management  and  staff  at  the  worksites  information  on  payments  to  income 
support  recipient  payments. 

Exception  reporting  is  a  key  control.  Exception  reports  are  used  to  assist 
management  in  identifying  non-compliance  with  policy,  identifying  missing 
or  inconsistent  data,  and  monitoring  financial  transactions.  Examples  of 
exception  reports  include  a  report  that  identifies  instances  where  client 
budget  infonnation  is  missing,  or  where  unusual  or  duplicate  payments  are 
being  made. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  use  exception  reports  to  identify  potential 
non-compliance  and  promptly  investigate  it. 


Exception 
reporting  is  a  key 
control 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


55 


Volume  2 — Audits  and  recommendations 


Employment,  Immigration  and  Industry 


Over  60  exception 
reports 


Reports  don't  cover 
all  risks 


Varied  use 


Incomplete  list 


Our  audit  findings 

Management  has  more  than  60  exception  reports  available  for  review  and 
potential  follow-up.  The  regional  office  personnel  use  some  of  the 
exception  reports  to  assist  them  in  monitoring  the  income  support  program. 
We  identified  the  following  areas  of  exception  reporting  that  need 
improvement: 

•  cases  where  risk  was  identified  but  no  exception  report  was  available. 
For  example,  if  an  income  support  recipient  is  classified  as  "expected 
to  work"  for  an  extended  period  of  time,  it  would  be  useful  to  review 
the  file  to  ensure  that  the  client's  circumstances  and  payments  are 
correct. 

•  varied  use  and  investigation  of  exception  reports  among  offices.  It  is 
not  clear  which  of  the  several  reports  that  staff  must  review  and  follow 
up,  and  which  reports  are  optional. 

•  an  incomplete  list  of  available  reports.  For  example,  the  list  did  not 
include  the  report  identifying  duplicate  payments  between  learners  and 
income  support  recipients.  Nor  did  it  list  the  exception  reports  available 
for  drug  utilization. 


Implications  and  risks  if  recommendation  not  implemented 

Non-compliance  with  policies  and  procedures  may  go  undetected  if 
relevant  exception  reports  are  not  available  or  used. 

1 .2  Compliance  audit  function — Income  support  program 
Recommendation 

We  recommend  that  the  Ministry  of  Employment,  Immigration  and 
Industry  strengthen  its  compliance  audit  of  the  income  support 
program  by  ensuring  that  its  regional  office  staff  review  and  act  on  key 
exception  reports. 


Conducting 
internal  compliance 
audits  is  a  key 
function  in  control 
for  income  support 
program 


Background 

Compliance  audit  is  a  key  control  for  the  accurate  processing  of  income 
support  payments.  Compliance  audit  tests  more  than  400  income  support 
payment  samples  each  year.  These  tests  of  the  income  support  recipient 
files  include: 

•  Matching  the  information  in  the  files  to  the  client  information  in  the 
Central  Client  Directory 

•  Ensuring  that  monthly  payments  to  income  support  recipients 
(excluding  Alberta  Medical  Benefits)  are  supported  by  documentation. 
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The  compliance  auditors  discuss  their  findings  with  caseworkers  and 
casework  supervisors  at  each  worksite  and  report  their  findings  to  six 
regional  directors.  The  results  of  these  audits  are  summarized  for  each 
region  and  shared  with  the  ministry's  Senior  Financial  Officer. 

Criteria:  the  standards  we  used  for  our  audit 

Compliance  audits  should  provide  relevant  and  timely  feedback  to 
management. 


Good  practices 


Should  include 
processes  to 
follow-up  on 
exceptions 


Our  audit  findings 

Compliance  auditors  use  good  practices  in  working  on  the  income  support 
program,  including: 

•  using  a  detailed  audit  program  defining  specific  procedures: 

•  using  an  objective  sampling  methodology  based  on  the  payment  data: 

•  preparing  working  papers  that  show  the  samples  selected  and  the 
procedures  performed: 

•  discussing  the  errors  identified  with  caseworkers  and  supervisors: 

•  preparing  a  summary  report  indicating  the  number  of  findings  by  type 
of  compliance  and  then  extrapolating  the  errors  over  the  payment 
population  and  calculating  the  impact  of  the  error  for  each  region. 

However,  compliance  auditors  can  improve  the  effectiveness  of  the 
compliance  audit  procedures.  The  Ministry  has  developed  a  series  of 
exception  reports  that  identify  potential  errors  and  matters  for  follow-up. 
The  compliance  audit  would  be  more  effective  if,  as  part  of  the  review, 
compliance  auditors  tested  management  follow-up  on  items  identified  in 
key  exception  reports. 

Implications  and  risks  if  recommendation  not  implemented 

If  compliance  auditors  don't  test  regional  offices  follow-up  then  areas  of 
non-compliance  identified  by  key  exception  reports  may  not  be  resolved. 

1.3  Debit  cards 

Recommendation 

We  recommend  that  the  Ministry  of  Employment,  Immigration  and 
Industry  improve  controls  to  prevent  duplicate  income  support 
payments  to  the  same  recipient. 

Background 

The  Ministry  has  issued  debit  cards  as  a  payment  method  for  income 
support  recipients  in  a  pilot  project  at  two  worksites — the  Edmonton  Centre 
and  Brooks. 
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Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  process  payments  accurately  and  completely — and 
only  once. 

Our  audit  findings 

The  Ministry  has  a  process  to  detect  duplicate  payments  made  to  an  income 
support  recipient  by  both  a  cheque  and  debit  card.  However,  the  process  for 
detecting  the  duplicate  payment  after  a  cheque  has  been  issued  won't  be 
efficient  or  effective  when  the  debit  card  system  is  expanded  to  other 
worksites. 

The  debit  card  system  is  not  interfaced  directly  into  the  Ministry's  income 
support  payment  system.  When  payment  is  by  debit  card,  the  caseworker 
must  update  a  field  in  the  income  support  payment  system  to  indicate  that. 
If  the  caseworker  doesn't  do  the  update,  two  payments  are  processed,  one 
by  cheque  and  the  other  by  debit  card.  The  cheque  is  mailed  the  following 
day. 

To  detect  duplicate  payments,  the  Ministry  generates  a  daily  exception 
report  that  identifies  debit  card  payments  that  do  not  match  the  information 
in  its  income  support  payment  system.  The  Ministry  follows  up  this  daily 
exception  report  to  identify  the  cause  of  the  discrepancy.  If  it  finds  a 
duplicate  payment,  it  has  to  notify  the  Finance  Ministry.  Then  the  Finance 
Ministry  must  locate  the  cheque  run — before  the  cheques  are  mailed — and 
cancel  it.  This  must  all  take  place  before  9  a.m.  each  morning  otherwise  the 
cheque  for  the  duplicate  payment  is  mailed  to  the  recipient. 

Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  may  issue  duplicate  payments. 

Inefficiencies  exist  when  staff  time  is  required  to  identify,  locate  and  cancel 
cheques  issued  in  error. 

1.4  Capital  asset  policy 
Recommendation 

We  recommend  that  the  Ministry  of  Employment,  Immigration  and 
Industry  improve  its  capital  asset  policy  and  procedures. 


Process  to  detect 
duplicate  payments 
not  efficient 
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Background 

The  Ministry  is  implementing  new  systems.  In  2006-2007,  the  Ministry 
signed  a  contract  for  $19  million  for  new  software  to  support  the  Ministry  's 
Alberta  Works  initiative.  The  Ministry  also  purchased  other  new  computer 
equipment  and  software.  Total  capital  additions  for  computer  equipment 
and  software  at  March  31,  2007  were  $9  million. 

Existing  policy  7iie  Ministry's  existing  capital  asset  policy  states  that  the  following  items 

are  capital: 

•  buildings,  leasehold  improvements,  building  equipment  and 
infrastructure,  all  other  equipment  including  computer  hardware  and 
software,  office  equipment  and  furniture  whether  purchased  or 
self-constructed,  costing  $5,000  or  more: 

•  land,  regardless  of  cost  is  capitalized; 

•  new  systems  development  costs  for  management  information  systems 
that  are  required  for  the  entity's  operations  when  the  anticipated  direct 
development  costs  exceed  $100,000;  and 

•  major  enhancements  to  existing  management  information  systems  are 
to  be  capitalized  only  when  enhancement  costs  exceed  $25,000. 

Criteria:  the  standards  we  used  for  our  audit 

•  Assets  should  be  accurately  recorded  in  the  financial  statements  and  in 
the  proper  period; 

•  Policies  and  procedures  should  have  sufficient  detail  to  ensure  that 
intended  results  are  achieved; 

•  Purchases  with  a  future  benefit  should  be  recorded  as  an  asset. 

Our  audit  findings 

The  Ministry's  current  capital  asset  policy  is  not  detailed  enough  to  help  in 
deciding  if  a  purchase  is  a  capital  asset  or  a  current-year  expense.  As  a 
result,  it  can  be  hard  to  decide  whether  to  capitalize  or  expense  information 
system  purchases.  For  example: 

•  The  payment  schedule  for  the  $19  million  software  included  $4.7 
million  for  software  maintenance  that  covered  a  period  of  three  years. 
The  Ministry  recorded  the  full  amount  as  an  expense  considering  it 
maintenance.  However,  because  the  maintenance  costs  paid  in  the 
current  year  had  a  benefit  extending  over  three  years,  future  years' 
maintenance  costs  of  $3.8  million  should  have  been  recorded  as  an 
asset. 

•  The  Ministry  bought  telephone  systems  improvements  for  a  total  cost 
of  approximately  $187,000.  Some  components  of  the  systems  were 
capitalized  and  others  that  appear  to  be  capital  in  nature  were  expensed, 
resulting  in  $43,000  overstatement  of  expenses. 


Ministry  purchased 
new  software  for 
S19M 


Policy  is  not 
detailed  enough 


Future  maintenance 
cost  expensed 
instead  of  being 
recorded  as  asset 
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Implications  and  risks  if  recommendation  not  implemented 

The  costs  of  assets  purchased  will  not  be  recorded  accurately  or  in  the 
proper  period. 

1.5  Information  technology  control  environment 
Recommendation  No.  23 

We  recommend  that  the  Ministry  of  Employment,  Immigration  and 
Industry: 

•  develop  service  level  agreements  with  information  technology 
service  providers  that  clearly  define  expected  services; 

•  establish  processes  to  obtain  assurance  that  these  service  providers 
consistently  meet  service  level  requirements  and  that  control 
activities  performed  by  the  providers  are  operating  effectively. 

Background 

The  Ministry  has  outsourced  much  of  its  information  technology  (IT) 
infrastructure  and  operations.  Outsourcing  can  be  an  efficient  and  effective 
way  to  provide  required  IT  services  to  an  operation.  However, 
organizations  that  outsource  all  or  part  of  their  IT  infrastructure  or 
operations  must  still  ensure  that  service  levels  are  met  and  that  there  are 
appropriate  controls  over  the  confidentiality,  integrity,  and  availability  of 
the  all  information  assets. 

The  Ministry  relies  on  two  IT  service  providers  and  Service  Alberta  to 
support  their  IT  operations. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  have: 

•  service  level  agreements  (SLAs)  with  service  providers  that  outline  the 
that  will  be  provided. 

•  effective  documented  control  processes  to  ensure  that  service  providers 
consistently  meet  the  agreed  to  SLAs  and  security  requirements. 

Our  audit  findings 

The  Ministry  has  entered  into  an  SLA  with  Service  Alberta.  However,  the 
SLA  does  not  clearly  define  expectations  for  the  outsourced  information 
technology  services.  The  Ministry  also  does  not  have  a  review  process  to 
ensure  that  Service  Alberta  has  controls  in  place  over: 

•  access  to  systems 

•  remote  access  security 

•  change  control  processes 


SLA  does  not 
adequately  define 
expectations 
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Assurance  over 
service  provider 
controls  not 
obtained 


The  Ministry  also  has  a  SLA  with  two  other  services  providers.  But  the 
Ministry  does  not  have  a  process  to  ensure  that  one  of  these  two  sen  ice 
providers  is  managing  their  access  to  ensure  the  protection  and 
confidentiality  and  integrity  of  the  Ministry's  information  assets. 


Implications  and  risks  if  recommendation  not  implemented 

Without  defining  services  required  and  without  processes  to  monitor  and 
ensure  that  all  outsourced  service  providers  are  meeting  the  required  SLA 
and  security  requirements,  the  Ministry  may  not  receive  the  expected 
services  and  have  sufficient  information  to  evaluate  service  quality. 


Unqualified 
opinions  and  no 
exceptions 


2.    Performance  reporting 
2.1  Financial  statements 

We  issued  unqualified  audit  opinions  for: 

•  the  Ministry  of  Employment,  Immigration  and  Industry  the  year  ended 
March  3 1 ,  2007 

•  the  March  3 1 ,  2007  Labour  Market  Development  Claim 

•  the  March  3 1 ,  2006  Employability  Assistance  for  People  with 
Disabilities  Claim. 


2.2  Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures 
on  the  Ministry's  performance  measures. 

3.    Other  entities  that  report  to  the  Minister 

3.1  Performance  reporting — Workers'  Compensation  Board 

We  issued  an  unqualified  auditor's  opinion  on  the  financial  statements  of 
WCB  for  the  year  ended  December  31,  2006.  We  also  issued  an  unqualified 
auditor's  opinion  on  the  schedule  of  administrative  charges  of  WCB  for  the 
year  ended  December  3 1 ,  2006. 
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Energy 

Summary:  what  we  found  in  our  audits 

Systems 

Royalty  review  systems — see  Volume  I,  page  91. 

The  Department  and  the  Alberta  Energy  and  Utilities  Board  (EUB)  should 
continue  to  implement  our  recommendations  regarding  the  assurance  over  the 
accuracy  of  volumetric  data — see  page  64. 

The  EUB  should  implement  an  IT  control  framework — see  page  7 1 . 
Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry  and  the 
Department  are  unqualified.  We  found  no  exceptions  when  we  completed 
specified  auditing  procedures  on  the  Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

Performance  reporting 

•     Our  auditor's  reports  on  the  financial  statements  of  the  EUB  and  the  Alberta 
Petroleum  Marketing  Commission  (the  Commission)  are  unqualified. 


Overview  of  the  Ministry 

Ministry  entities      The  Ministry  consists  of  the  Department  of  Energy,  the  EUB  and  the 
Commission. 

The  Ministry's  2006-2009  business  plan  identifies  four  core  businesses: 

•  secure  Albertans'  share  and  benefits  from  energy  and  mineral  resource 
development 

•  ensure  Alberta's  energy  and  mineral  resources  remain  accessible,  competitive 
and  attractive  to  investment  and  development 

•  ensure  Alberta  consumers  have  a  choice  of  reliable  and  competitively  priced 
energy 

•  regulate  the  development  and  delivery  of  Alberta's  energy  resources  and 
utilities  services  in  a  manner  that  is  fair,  responsible  and  in  the  public  interest 


Four  core 
businesses 
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Ministry  received  xhe  Ministry  collected  $12.7  billion  in  revenue  in  2006-2007,  from  the  following 
$12.7  billion 

sources: 

(millions  of  dollars) 

Non-renewable  resource  revenue  $  12,260 

Freehold  mineral  rights  tax  3 1 7 

Industry  levies  and  licenses  85 
Other  revenue  5 1 

Ministry  spent        The  Ministry  spent  $223  million  in  2006-2007. 
$223  million 

For  more  details  on  the  Ministry,  visit  its  website  at  www.energy.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  audited  the  adequacy  of  the  Department's  royalty  review  systems.  We 
also  followed  up  our  previous  recommendations. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  the  Department  for 
the  year  ended  March  31,  2007.  We  completed  specified  auditing  procedures 
on  the  performance  measures  in  the  Ministry's  annual  report. 

3.  Other  entities  that  report  to  the  minister 

We  audited  the  financial  statements  of  the  Commission  for  the  year  ended 
December  31,  2006.  We  also  audited  the  EUB  financial  statements  for  the 
year  ended  March  31,  2007. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Assurance  on  well  and  production  data — progress  report 
Background 

Last  year  we  repeated  our  recommendation  that  the  Department: 

•  complete  its  risk  assessment  and  evaluate  the  assurance  obtained  from 
the  Petroleum  Registry  System  and  the  Department's  controls  over  well 
and  production  data; 

•  communicate  to  the  Alberta  Energy  and  Utilities  Board  how  much 
assurance,  if  any,  the  Department  needs  over  the  completeness  and 
accuracy  of  well  and  production  data. 
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We  first  reported  this  matter  in  our  2002-2003  Annua/  Report  (page  97),  and 
revised  our  recommendation  in  our  2004-2005  Annual  Report  ( No.  2S  page 
165)  to  focus  more  on  the  Department's  responsibilities.  Last  year,  we 
repeated  the  recommendation  because  the  Department's  progress  was  slow. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  adequate  assurance  that  well  and  production 
data  reported  by  industry  is  complete  and  accurate. 

Management  actions 

a)  Communication  between  the  Department  and  the  EUB 

The  Department  and  the  EUB  worked  together  through  a  joint  steering 
committee  established  to  implement  our  recommendation.  The  steering 
committee  was  co-chaired  by  an  assistant  deputy  minister  from  the 
Department  and  an  executive  manager  from  the  EUB  along  with  other 
senior  managers  from  both  organizations.  A  project  team  was  also 
established  that  included  the  committee  members,  other  Ministry  staff, 
and  consultants.  The  degree  of  cooperation  and  communication  between 
the  Department  and  the  EUB  improved  after  the  formation  of  the 
steering  committee  which  met  regularly  throughout  the  year. 

b)  Risk  and  control  assessment 

In  October  2006,  the  project  team  prepared  a  draft  risk  assessment  that 
identified  25  data  elements  that  have  a  significant  impact  on  royalty 
calculations  for  gas  and  conventional  oil.  Since  the  25  data  elements  only 
pertain  to  gas  and  conventional  oil,  a  separate  risk  assessment  for  oil 
sands  is  being  done.  For  each  element  the  team  estimated  the  impact  and 
probability  of  errors  on  royalty  calculations. 

The  Steering  Committee  also  hired  consultants  to  document  systems  and 
identify  existing  controls.  The  documentation  prepared  by  the 
consultants  identifies  many  relevant  controls  over  the  completeness  and 
accuracy  of  volumetric  data  once  that  data  has  been  entered  into  the 
petroleum  registry  and  transferred  to  the  Department's  systems  that 
calculate  royalties. 

From  February  to  May  2007,  the  project  team  made  further  progress  on 
the  risk  assessment  started  in  October  2006  by  identifying  controls  for 
each  element  that  would  prevent  or  detect  errors  in  well  and  production 
data  from  their  source  as  entered  into  the  petroleum  registry. 
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c)    Communicate  required  level  of  assurance 

The  steering  committee's  strategy  was  to  have  the  EUB  audit  groups 
begin  testing  some  of  the  data  elements  while  other  steps  were  being 
taken  to  implement  the  recommendation.  As  such,  after  the  project  team 
prepared  the  draft  risk  assessment  in  October  2006,  the  steering 
committee  decided  to  focus  available  audit  resources  on  the  audit  of  six 
data  elements  that  received  the  highest  risk  ratings.  Through  the 
committee,  the  Department  reviewed  and  approved  the  audit  plans  for 
these  six  data  elements.  The  EUB  completed  these  six  data  element 
audits,  and  the  project  team  is  assessing  the  results. 


Finish  risk 
assessment 


Assess  residual 
risks 


Extrapolate 
findings 


Ensure  processes 
are  sustainable 


What  remains  to  be  done 

The  Department  needs  to  complete  these  key  steps  to  finish  implementing  our 
recommendation: 

•  Finish  the  draft  risk  assessment  for  the  25  data  elements.  The  project 
team  has  identified  several  controls  for  each  data  element  that  may 
prevent  or  detect  errors  in  volumetric  data  as  entered  into  the  Petroleum 
Registry.  To  finish  the  assessment,  controls  over  the  initial  well  and 
production  data  entered  by  producers  need  to  be  documented  and  key 
controls  need  to  be  tested  to  determine  if  they  are  operating  as  intended 
to  allow  a  conclusion  as  to  whether  the  controls  provide  adequate 
assurance  for  each  element. 

•  Identify  any  significant  residual  risks.  From  the  above  step,  the 
Department  will  be  able  to  determine  for  each  data  element  whether 
more  assurance  is  needed  or  conclude  that  adequate  assurance  is  already 
obtained.  More  assurance  may  be  obtained  by  changing  or  implementing 
new  control  processes,  or  directly  verifying  the  data  through  audits.  The 
Department  should  work  with  the  EUB  to  determine  the  most  efficient 
way  of  obtaining  any  additional  assurance  required.  It  may  be 
determined  that  the  most  efficient  way  to  obtain  more  assurance  is  to 
amend  or  implement  a  new  control  process  at  the  Department  or  the 
EUB,  or  to  perform  direct  verification  through  an  audit. 

•  Ensure  that  audit  findings  can  be  extrapolated.  As  noted  above,  the 
project  team  is  assessing  the  findings  of  the  six  data  element  audits. 
Findings  for  three  data  elements  can  be  extrapolated  to  provincial  totals 
while  three  cannot  be  extrapolated.  Future  audit  samples  need  to  be 
designed  to  ensure  that  findings  can  be  extrapolated  to  provincial  totals 
and  the  effects  calculated  on  royalties.  The  ability  to  extrapolate  audit 
findings  increases  substantially  the  value  of  the  audit  work  completed. 

•  Ensure  that  sources  of  assurance  are  sustainable.  While  reviewing  the 
progress  that  the  EUB  made  on  our  volumetrics  recommendation  we 
noted  that  the  production  audit  group  was  unable  to  complete  any 
measurement  compliance  audits  in  the  current  year  because  their  staff 
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were  fully  utilized  completing  two  data  element  audits  for  the 
Department.  If  the  EUB  cannot  provide  assurance  to  the  Department 
over  the  long  term,  the  Department  will  have  to  make  other  arrangements 
to  obtain  assurance. 

Other  observation 

In  July  2007  the  Government  of  Alberta  was  in  the  process  of  reviewing 
Alberta's  royalty  regime.  The  Department  should  consider  the  findings  of  its 
risk  and  control  assessment  in  making  any  recommendations  to  amend  the 
existing  royalty  regime  to  make  it  as  straight  forward  as  practically  possible. 
The  more  complex  the  regime,  the  more  resources  needed  to  control  risks  and 
ensure  collection  of  applicable  royalties. 

Implications  and  risks  if  recommendation  not  implemented 

Until  the  recommendation  is  fully  implemented,  our  original  finding  that  the 
Department  cannot  detennine  and  support  the  assurance  obtained  over 
volumetric  data  remains  outstanding. 

Without  assurance  over  volumetric  data  the  Department  cannot  support  a 
conclusion  that  all  royalties  due  under  the  existing  regime  are  being 
collected. 

1.2  Royalty  adjustment  programs — implemented 
Background 

In  our  2002-2003  Annual  Report  (page  95),  we  recommended  that  the 
Department  of  Energy  assess  whether  the  royalty  reduction  sub-programs  are 
achieving  their  intended  objectives.  The  adjustment  sub-programs  are 
designed  to  encourage  production  from  wells  that  would  otherwise  not  be 
economic  to  drill  and  operate.  Last  year,  the  Department  finished  reviewing 
four  of  the  then  eleven  royalty  adjustment  sub-programs  and  made  plans  to 
amend  or  phase  out  those  four  sub-programs.  To  implement  our 
recommendation  the  Department  needed  to  demonstrate  a  plan  to  review  the 
remaining  sub-programs. 

Our  audit  findings 

The  Department  implemented  our  recommendation  by  preparing  a  schedule 
that  lists  when  each  of  the  sub-programs  will  be  reviewed.  For  example,  the 
Department  plans  to  review  three  more  of  the  sub-programs  by  July  2008. 
We  understand  this  schedule  may  change  depending  on  the  recommendations 
of  the  Government  of  Alberta's  public  royalty  review  panel. 
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2.  Performance  reporting 

2.1  Financial  statements 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the 
Ministry  and  the  Department. 

2.2  Royalty  revenue  adjustments — implemented 
Background 

In  2006,  we  recommended  that  the  Department  review  the  extent  of  evidence 
required  to  support  significant  adjustments  to  royalty  revenue  because  we 
found  that  the  Department  did  not  have  sufficient  support  for  a  $237  million 
accounting  adjustment  related  to  the  low  productivity  royalty  adjustment. 

Our  audit  findings 

This  year  we  reviewed  two  new  adjustments  and  concluded  that  they  were 
adequately  supported.  One  adjustment  was  to  accrue  $55  million  for  Alberta 
Royalty  Tax  Credit  claims  that  will  be  received  in  2007  and  apply  to  the 
2006  tax  year.  The  other  was  a  $29  million  adjustment  relating  to  annual 
operating  costs  to  improve  the  accuracy  of  the  natural  gas  royalty  accrual. 

The  Department  continues  to  assess  the  reasonableness  of  existing 
adjustments  in  the  royalty  forecasts  and  will  assess  whether  additional 
adjustments  are  required  to  improve  the  accuracy  of  the  accruals  where 
changing  historical  trends  or  new  information  suggests  doing  so.  Also,  we 
will  continue  to  review  adjustments  in  our  future  audits. 

2.3  Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures 
on  the  Ministry's  performance  measures. 

3.  Other  entities  that  report  to  the  Minister 
3.1  Systems 

3.1 .1  Assurance  systems  for  volumetric  accuracy  and  enforcing 

measurement  standards — progress  report 
Background 

In  our  2004-2005  Annual  Report  (No.  29 — page  169),  we  recommended  that 
the  Alberta  Energy  and  Utilities  Board  explore  ways  to  strengthen  its  controls 
for  verifying  the  accuracy  and  completeness  of  oil  and  natural  gas  volumetric 
data  and  for  enforcing  measurement  standards. 

Industry  is  required  to  file  volumetric  production  data  each  month  with  the 
EUB.  The  volume  of  gas  and  oil  produced  during  the  month  is  reported  in  the 
Petroleum  Registry  of  Alberta  (the  Registry)  to  both  the  EUB  and  the 
Department  of  Energy  (the  Department). 
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The  EUB  conducts  a  wide  variety  of  assurance  and  audit  activities  to  ensure 
compliance  with  regulatory  requirements  including  audits  that  verify 
production  data  reported  by  industry  to  confirm  compliance  with 
measurement  standards.  A  large  portion  of  the  compliance  work  related  to 
production  data  is  conducted  by  the  EUB's  production  audit  and  information 
collection  and  dissemination  groups.  Production  data  is  used  by  the 
Department  to  calculate  royalties  and  the  Department  relies  on  the  integrity 
of  the  EUB  information  management  processes  and  audit  work.  The 
regulatory  compliance  audits  were  the  focus  of  our  original  recommendation. 

Our  original  audit  identified  that  the  EUB  had  not  determined  or 
communicated  to  the  Department  the  level  of  assurance  over  production  data 
provided  by  its  audits.  We  also  noted  the  EUB  should  identify  areas  where 
computer  edits  or  warning  messages  within  the  Registry  are  incomplete  or  do 
not  effectively  identify  anomalies  with  production  data.  In  addition,  we 
observed  that  relative  to  the  extent  of  industry  activity  a  limited  number  of 
production  audits  were  completed,  mainly  due  to  limited  audit  resources. 
Finally,  we  noted  that  enforcement  criteria  for  differences  in  the 
measurement  of  production  data  were  unclear. 

Criteria:  the  standards  we  used  for  our  audit 

The  EUB  should  have  processes  to: 

•  verify  industry's  reported  volumetric  data;  and 

•  enforce  its  measurement  requirements. 

Management  actions 

a)    Communication  between  the  EUB  and  the  Department 

Communication  between  the  EUB  and  the  Department  has  improved  in 
2007  with  the  fonnation  of  a  joint  steering  committee  and  project  team 
established  primarily  to  prepare  a  detailed  analysis  and  risk  assessment 
for  production  data,  and  to  evaluate  the  amount  of  assurance  over  the 
accuracy  of  production  data  that  the  Registry  edits  and  other  validation 
controls  are  providing.  The  steering  committee  developed  a  work  plan  to 
provide  direction  to  Department  and  EUB  staff.  A  strategy  to  seek  direct 
audit  assurance  over  key  production  data  elements  was  established.  In 
total,  25  data  elements  were  identified  as  potentially  impacting  royalties. 
Of  the  25  data  elements,  six  were  identified  by  the  Department  of  Energy 
as  most  risky  and  were  audited  by  the  EUB.  The  methodology  and  the 
confidence  level  associated  with  the  extrapolation  of  the  volumetric 
errors  in  the  measurement  of  production  data  across  the  province  have 
not  yet  been  finalized. 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Extrapolation 
methodology  not 
finalized 


Volume  2— Audits  and  recommendations 


Energy 


b)    Data  Integrity  within  the  Petroleum  Registry 

The  EUB  has  taken  steps  to  identify  areas  where  computer  edits  or 
warning  messages  within  the  Petroleum  Registry  of  Alberta  are 
incomplete  or  do  not  effectively  identify  anomalies.  The  EUB 
Information  and  Collection  Dissemination  Group  (ICD)  has  a  process  for 
tracking,  assessing,  assigning  responsibility  and  communicating 
identified  production  data  issues  within  the  Registry.  The  ICD  performs 
a  number  of  queries  and  analyses  on  the  Registry  data  in  order  to  identify 
data  anomalies  and  areas  for  enhancement.  The  purpose  of  these  queries 
and  analyses  is  to  assess  areas  where  controls  within  the  Registry  could 
be  improved,  as  well  as  to  perform  a  review  over  the  integrity  and 
reasonability  of  the  production  data.  Documentation  has  been  prepared 
by  the  EUB  that  outlines  which  queries  are  currently  being  completed 
and  what  steps  should  be  taken  if  an  issue  has  been  identified,  dependant 
on  the  severity  of  the  issue. 


Non-compliance 
categories  defined 


c)  Enforcement 

A  revised  Compliance  Assurance — Enforcement  Directive  was  released 
in  February  2007  and  sets  out  as  one  objective:  to  provide  accurate, 
comprehensive  and  current  information,  including  production  data,  to  its 
stakeholders.  Categories  of  non-compliance  are  now  clearly  defined. 


Production  Audit 
Group 
significantly 
short-staffed 


d)  Staffing 

The  Production  Audit  Group  is  now  comprised  of  seven  individuals  who 
are  responsible  for  performing  the  various  audits  and  achieving  the  goals 
set  out  in  the  annual  audit  plan.  However,  for  a  significant  portion  of 
2006,  the  Production  Audit  Group  consisted  of  only  one  auditor. 


e)   Audit  documentation 

New  documentation  standards  for  the  planning,  execution,  reporting  and 
follow-up  phases  of  field  audits  and  audit  findings  review  procedures 
have  been  implemented  by  the  Production  Audit  Group. 


Establish  level  of 
data  accuracy 


What  remains  to  be  done 

While  it  is  recognized  that  the  accuracy  of  the  calculation  of  oil  and  gas 
royalties  in  Alberta  is  a  shared  responsibility  of  the  Department  of  Energy 
and  the  EUB,  to  complete  the  implementation  of  our  recommendation  the 
EUB  should: 

•     Set  expected  levels  of  assurance.  The  EUB  has  not  set  the  expected 
levels  of  assurance  required.  In  consultation  with  the  Department  of 
Energy,  the  EUB  should  establish  the  levels  of  data  accuracy  assurance 
that  its  processes  (audits,  computer  edits)  should  provide.  The  EUB 
should  identify  the  levels  of  assurance  provided  by  its  preventative, 
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detective  and  corrective  controls.  The  controls  should  be  identifiable  in 
relation  to  the  control  objectives  established  by  the  HUB. 

•  Assess  its  ability  to  continue  to  conduct  both  the  data  element  audits  and 
regulatory  compliance  audits.  Once  the  assessment  is  complete,  a  plan 
should  be  developed  and  operationalized  to  provide  the  sustainable  audit 
assurance  that  is  required.  Regulatory  compliance  audits  have  not  been 
completed  since  May  2006  as  the  Production  Audit  Group  was  directly 
impacted  by  the  availability  of  staff  required  to  complete  the  data 
element  audits.  It  is  uncertain  whether  the  Production  Audit  Group  will 
have  sufficient  staff  to  complete  the  planned  regulatory  compliance 
audits  (80  in  2007  and  140  in  2008)  as  well  as  the  data  clement  audits. 

•  Implement  a  regular  and  timely  reporting  system  for  measuring  and 
quantifying  identified  errors  for  use  by  both  the  EUB  and  the 
Department. 

Implications  and  risks  if  recommendation  not  implemented 

Inappropriate  reliance  may  be  placed  on  the  Production  Audit  Group's  audits 
by  senior  management  at  the  EUB  and  the  Department  resulting  in  incorrect 
conclusions  relating  to  industry's  compliance  with  regulations  and  the 
accuracy  of  production  volumetric  data. 

3.1.2      Energy  and  Utilities  Board  IT  control  framework 
Recommendation  No.  24 

We  recommend  that  the  Alberta  Energy  and  Utilities  Board  (EUB) 
implement  an  IT  control  framework  to  mitigate  identified  risks  to  the 
organization. 

Background 

The  EUB  uses  information  extensively  to  fulfill  its  mandate.  Accordingly.  IT 
resources  need  to  be  managed  in  order  to  provide  the  information  it  needs. 

An  IT  control  framework  is  an  effective  method  to  mitigate  risks  and  bridge 
the  gap  between  control  requirements,  technical  issues,  and  business  risks.  A 
control  framework  should  give  senior  management  and  IT  users  a  set  of 
generally  accepted  measures,  indicators,  processes  and  best  practices  to  help 
them  maximize  IT  benefits  while  mitigating  identified  risks  through 
appropriate  IT  controls. 
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An  IT  control  framework  can  be  a  critical  element  in  ensuring  proper  controls 
over  EUB's  information  and  the  systems  and  processes  that  create,  store, 
manipulate,  and  retrieve  EUB's  client  and  financial  data.  There  are  several  IT 
frameworks  used  in  practice.  One  that  is  used  extensively  is  called  Control 
Objectives  for  Information  and  related  Technology  (COBIT). 

Criteria:  the  standards  we  used  for  our  audit 

EUB  should: 

•  Identify  and  adopt  an  organization  wide  IT  control  framework  that  is 
based  on  an  IT  risk  assessment  to  determine  the  scope  and  prioritization 
of  the  IT  control  framework. 

•  Design  and  implement  adequate  controls  to  mitigate  the  identified  risks. 

•  Assess  the  operating  effectiveness  of  the  IT  controls. 

•  Implement  a  sustainment  process  to  ensure  that  IT  controls  are  reviewed 
for  design  adequacy,  compliance,  and  effectiveness. 

Our  audit  findings 

The  EUB  has  not  conducted  an  organization  wide  IT  risk  assessment  to 
identify  risks  to  the  EUB  financial  or  business  processes  that  could  be 
mitigated  by  properly  designed  IT  controls. 

Although  we  observed  that  the  EUB  has  some  documented  and 
undocumented  control  processes  in  place  for  specific  IT  and  business 
processes  associated  with  financial  systems,  we  did  not  observe  an  overall  IT 
control  framework  that  mitigates  risks  throughout  the  EUB  computing 
environment.  This  would  include  an  adequately  documented  control  process 
to  ensure  that  access  to  all  EUB  financial  or  business  critical  systems  and 
applications  is  properly  requested,  approved,  reviewed  and  terminated  as 
appropriate.  And,  that  an  organization-wide  documented  change  management 
control  process  is  operating  to  ensure  that  all  changes  to  EUB  financial  or 
business  critical  systems  are  properly  requested,  approved,  developed,  tested, 
and  implemented  appropriately. 

Implications  and  risks  if  recommendation  not  implemented 

An  IT  control  framework  with  well  designed  control  activities  that  operate 
effectively  can  help  ensure  the  completeness,  accuracy,  and  validity  of 
EUB's  critical  business  and  financial  data.  Without  an  IT  control  framework, 
EUB  may  not  be  able  to  identify  control  processes  to  effectively  mitigate  IT 
risks. 
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3.2  Performance  reporting 
Financial  statements 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the 
EUB  and  the  Commission. 
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Environment 

Summary:  what  we  found  in  our  audits 

Performance  reporting 

Our  auditor's  report  on  the  Ministry's  financial  statements  is  unqualified.  We 
found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 


Overview  of  the  Ministry 


Ministry  spent        In  2006-2007,  the  Ministry  spent  $  1 5 1  million  in  its  two  core  businesses: 
S151  million 

(millions  of  dollars) 

Assuring  Environmental  Quality  $  95 

Sharing  Environmental  Management  and  Stewardship  56 

Ministry  received     The  Ministry  received  $7  million  in  2006-2007  from  sources  external  to  the 
S7  million 

government: 

(millions  of  dollars) 

Fees,  Permits  and  Licenses  $  3 

Other  Revenue  4 


For  more  detail  on  the  Ministry,  visit  its  website  at  www.gov.ab.ca/env. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  continued  to  monitor  the  Ministry's  progress  in: 

•  implementing  a  system  to  obtain  sufficient  financial  security  to 
complete  conservation  and  reclamation  of  disturbed  land 

•  developing  a  system  to  track  information  for  contaminated  sites 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  for  the  year  ended 
March  31,  2007.  We  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Financial  security  for  land  disturbances — progress  report 
Background 

Financial  security  is  to  cover  the  cost  of  abandonment,  and  remediation  and 
reclamation  that  an  operator  is  unable  to  complete.  It  is  returned  to  the 
operator  as  the  site  is  reclaimed,  or  forfeited  if  the  operator  fails  to  meet  its 
obligations. 

In  our  2004-2005  Annual  Report  (No.  3 1 — page  1 80),  we  recommended  that 
the  Ministry  of  Environment  implement  promptly  a  system  to  obtain 
sufficient  financial  security  to  ensure  parties  complete  the  conservation  and 
reclamation  activity  that  the  Ministry  regulates.  This  was  a  repeat  of  our 
1998-1999  Annual  Report  (No.  30 — page  157)  recommendation.  We  had 
noted  that  there  were  some  large  land-disturbing  industries  (oil  sands  and 
coal  mines)  that  were  not  providing  security  at  full  cost  of  reclamation  and 
there  was  no  evidence  that  a  solution  to  inadequate  security  was  imminent. 

In  our  2005-2006  Annual  Report  (Volume  2,  page  86)  we  reported  a 
government-industry  team  led  by  the  Ministries  of  Environment  and  Energy 
has  prepared  a  proposal  (Mine  Liability  Management  Program)  for  cabinet 
review  and  approval  which  uses  a  risk  based  approach  to  calculate  the 
security  needed  for: 

•  coal  mines; 

•  coal  processing  plants  and  related  infrastructure  at  mine  sites; 

•  oil  sands  mines; 

•  bitumen  extraction  processing  facilities  and  upgrading  plants,  and 
related  infrastructure  at  mine  sites;  and 

•  plants  and  infrastructure  that  sit  on  land  leased  or  owned  for  the 
purposes  of  mining  or  processing  of  coal  or  oil  sands  irrespective  of 
ownership. 

Management  actions 

At  the  time  of  our  2007  follow-up  of  progress,  the  proposal  was  being 
revised.  If  the  revisions  are  approved,  the  Ministry  then  plans  to  consult 
with  selected  stakeholders. 


Recommendation 
first  made  in 
1998-1999 


Consultation  with 

stakeholders 

planned 
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1.2  Contaminated  sites  information  system — progress  report 
Background 

In  our  2005—2006  Annual  report  (No.  29 — page  87)  and  in  our 
2002-2003  Annual  Report  (No.  12 — page  103)  we  recommended  that  the 
Ministry  of  Environment  implement  an  integrated  information  system  to 
track  contaminated  sites  in  Alberta. 

A  contaminated  site  is  land  that: 

•  contains  contamination  above  the  limits  allowed  by  environmental 
guidelines 

•  poses  an  unacceptable  risk  to  human  health  or  ecosystems 

Alberta  follows  the  guidelines  developed  by  the  Canadian  Council  of 
Ministers  of  the  Environment. 

The  Ministry  as  the  regulator  for  contaminated  sites  needs  to  have 
information  to: 

•  identify  contaminated  sites 

•  assess,  designate  and  approve  remedial  action  plans  for  contaminated 
sites 

•  ensure  contaminated  sites  are  being  managed  so  that  the  potential 
adverse  effects  have  been  mitigated. 

In  our  2002-2003  Annual  Report  we  estimated  that  the  Ministry  had  more 
than  5,000  contaminated  sites  files.  We  also  reported  that  Ministry  did  not 
have  an  overall  corporate  system  to  track  contaminated  sites  information. 

Management  actions 

The  Ministry  continued  to  electronically  capture  documents  associated  with 
contaminated  sites.  It  expects  this  electronic  infonnation  will  be  placed  into 
the  contaminated  sites  information  system. 

The  development  of  an  infonnation  system  has  been  identified  as  a 
divisional  priority  for  2007-2008.  A  project  steering  team  has  been  formed, 
and  a  project  charter  is  being  prepared. 

The  Ministry  expects  that  significant  work  will  be  done  during  2007-2008 
on  the  development  of  this  system. 


Recommendation 
first  made  in 
2002-2003 


Significant 
progress  planned 
for  2007-2008 
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Executive  Council 


Executive  Council 

Summary:  what  we  found  in  our  audits 

Performance  reporting 

Our  auditor's  report  on  the  Ministry's  financial  statements  is  unqualified.  We 
found  no  exceptions  when  we  applied  specified  auditing  procedures  to  the 
Ministry's  performance  measures. 


Overview  of  the  Ministry 

The  Ministry  consists  of  the  Office  of  the  Premier  and  Executive  Council  and 
the  Public  Affairs  Bureau. 

In  2006-2007,  the  Ministry  spent  $21.5  million. 

For  more  information  on  the  Ministry,  see  www.gov.ab.ca  and 
www.pab.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  for  the  year  ended 
March  31,  2007.  We  applied  specified  auditing  procedures  to  the  performance 
measures  in  the  Ministry's  2006-2007  annual  report. 
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Finance 

Summary:  what  we  found  in  our  audits 

Systems 

The  Government's  revenue  forecasting  systems — see  Volume  1.  page  133. 
The  Ministry  should: 

•  assess  the  risk  of  individuals  exceeding  the  tax-exempt  tobacco  limit  of  the 
Alberta  Indian  Tax  Exemption  program — see  page  85. 

•  ensure  that  staff  properly  approve  journal  entries — see  page  86. 

•  ensure  that  controls  over  information  assets  hosted  or  administered  by  third 
party  service  providers  are  documented  and  operating  effectively — see 
page  87. 

•  improve  controls  over  investment  management — see  page  90. 
Performance  reporting 

Our  auditor's  reports  on  the  Ministry  and  Department  of  Finance  financial 
statements  are  unqualified.  We  found  no  exceptions  when  we  completed 
specified  auditing  procedures  on  the  Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

•  Systems — Alberta  Treasury  Branches  (ATB) 

ATB  should  improve  its  processes  for  ensuring  compliance  with  Alberta 
Finance's  Outsourcing  Guideline  (see  page  94),  implement  an  effective 
organization-wide  information  technology  control  framework  (see  page  97). 
and  confirm  the  reasonableness  of  its  general  loan  loss  allowance  model 
(see  page  99). 

•  Systems — Alberta  Securities  Commission 
We  assessed  5  remaining  recommendations  from  our  2005  report  as 
implemented. 

Performance  reporting — Alberta  Treasury  Branches 

We  issued  unqualified  auditor's  reports  for  all  the  financial  statement  audits 
we  completed  during  the  year  for  ATB  and  its  subsidiaries  listed  in  section 
3.2  of  Scope.  A  public  accounting  firm  issued  unqualified  auditors'  reports 
for  regulatory  compliance  audits  of  ATB's  subsidiaries. 


Three 

recommendations  to 
ATB 


Unqualified  reports 
for  ATB  and  its 
subsidiaries' 
financial  statements 
and  compliance 
audits 
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Unqualified  reports 
for  other  entities 


Alberta  Heritage 
Savings  Trust  Fund 


Three  core 
businesses 


•  Performance  reporting — other  entities 

We  issued  unqualified  auditor's  reports  for  all  the  financial  statement  audits 
we  completed  during  the  year  for  the  entities  listed  in  section  3.4  of  Scope. 

•  Performance  reporting — Alberta  Heritage  Savings  Trust  Fund 

We  provided  interim  review  reports  to  the  Minister  of  Finance  on  the 
Alberta  Heritage  Savings  Trust  Fund's  quarterly  financial  statements. 


Overview  of  the  Ministry 

The  Ministry  of  Finance  has  three  core  businesses: 

•  Fiscal  planning  and  financial  management 

•  Investment,  treasury  and  risk  management 

•  Financial  sector  and  pensions 


Department  and 
entities 


The  Ministry  consists  of  the  Department  and  the  entities  listed  in  section  3 .4  of 
Scope,  including  Alberta  Treasury  Branches. 


Ministry  manages 
over  $70  billion  of 
investments 


Ministry  received 
$16.8  billion 


The  Ministry  manages  investments  with  a  market  value  of  more  than  $70  billion 
as  at  March  3 1 ,  2007.  These  investments  include  the  assets  of  the  General 
Revenue  Fund,  Alberta  Heritage  Savings  Trust  Fund,  other  provincial 
endowment  funds,  government-sponsored  public  sector  pension  plans  and  other 
government-related  clients. 

The  Ministry  collected  approximately  $16.8  billion  in  net  revenues  in 
2006-2007  from  the  following  sources: 


Income  taxes 

Net  investment  income 

Other  taxes 

Net  income  from  commercial  enterprises 
Other 


(millions  of  dollars) 

$  11,228 
2,953 
1,821 
282 
504 
$  16.788 


Ministry  spent 
$950  million 


ATB 


In  2006-2007,  the  Ministry  expenses  were  $950  million.  The  largest  expense 
was  $464  million  for  interest  and  related  expenses. 

ATB,  operating  as  ATB  Financial,  is  a  provincial  agency  accountable  through 
its  Board  of  Directors  to  the  Minister  of  Finance.  ATB  provides  a  range  of 
financial  services  including  accepting  deposits  and  making  loans  to  Albertans 
and  businesses.  ATB  has  also  established  subsidiaries  to  distribute  mutual  funds 
and  trade  securities  for  customers. 
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Websites  tor  both  por  more  information  on  the  Ministry  and  its  programs,  see  its  website  at 
Ministry  an  www.finance.gov.ab.ca.  For  more  information  on  ATB,  see  its  website  at 

www.atb.com. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  whether  the  Ministry  had  overpaid  tax  refunds  to  a  retailer 
for  purchases  in  excess  of  the  weekly  tobacco  limit  under  the  Alberta  Indian 
Tax  Exemption  program. 

We  followed  up  on  our  previous  years'  recommendations  on: 

•  relying  on  Canada  Revenue  Agency 

•  monitoring  private  sector  pension  plans 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  the  Department  for 
the  year  ended  March  31,  2007.  We  also  applied  specified  auditing 
procedures  to  the  performance  measures  in  the  Ministry's  2006-2007 
annual  report. 

3.  Other  entities  that  report  to  the  Minister 

3.1  Systems — Alberta  Treasury  Branches 

We  examined  three  areas:  processes  for  ensuring  compliance  with  Alberta 
Finance's  Outsourcing  Guideline,  information  technology  control 
framework,  and  the  general  loan  loss  allowance. 

3.2  Performance  reporting — Alberta  Treasury  Branches 

We  audited  the  financial  statements  of  ATB  for  the  year  ended 
March  31,  2007.  We  also  completed  review  engagements  for  ATB's 
quarterly  financial  statements.  In  addition,  we  audited: 

•  ATB's  Management  Pension  Plan  for  the  year  ended 
December  31,  2006. 

•  financial  statements  for  the  year  ended  March  3 1 ,  2007  for  the  three 
subsidiaries  of  ATB: 

•  ATB  Investment  Services  Inc. 

•  ATB  Investment  Management  Inc. 

•  ATB  Securities  Inc. 

Compliance  audits  at         a  public  accounting  firm  performed  compliance  audits  of  ATB's  three 
ATB  subsidiaries  and  reported  directly  to  the  applicable  regulatory  bodies.  We 

reviewed  the  results  of  these  audits: 


Financial  statement 
audits  at  ATB 
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•  Mutual  Fund  Dealers  Association  of  Canada's  Financial  Questionnaire 
and  Report  as  at  March  3 1 ,  2007 

•  Investment  Dealers  Association  of  Canada's  Joint  Regulatory  Financial 
Questionnaire  and  Report  as  at  March  3 1 ,  2007 

•  Compliance  with  applicable  sections  of  National  Instrument  81-102  as 
required  by  the  Alberta  Securities  Commission  for  the  year  ended 
March  31,  2007 

3.3  Systems — Alberta  Securities  Commission 

We  followed  up  the  outstanding  2005  recommendations  to  improve  the 
Commission's  enforcement  system. 

3.4  Performance  reporting — other  entities 

We  audited  the  following  entities  consolidated  within  the  Ministry: 
For  the  year  ended  March  31,  2007: 

•  Alberta  Cancer  Prevention  Legacy  Fund 

•  Alberta  Heritage  Savings  Trust  Fund 

•  Alberta  Heritage  Foundation  for  Medical  Research  Endowment  Fund 

•  Alberta  Heritage  Scholarship  Fund 

•  Alberta  Heritage  Science  and  Engineering  Research  Endowment  Fund 

•  Alberta  Risk  Management  Fund 

•  Alberta  Securities  Commission 

•  N. A.  Properties  ( 1 994)  Ltd. 

•  Provincial  Judges  and  Masters  in  Chambers  Reserve  Fund 

•  Supplementary  Retirement  Plan  Reserve  Fund 

For  the  year  ended  December  31,  2006: 

•  Alberta  Capital  Finance  Authority 

•  Credit  Union  Deposit  Guarantee  Corporation 

•  Alberta  Pensions  Administration  Corporation 

•  Alberta  Local  Authorities  Pension  Plan  Corp. 

For  the  year  ended  September  30,  2006: 

•  Gainers  Inc. 

In  addition,  we  examined  the  financial  statements,  management  letters,  and 
audit  files  for  the  year  ended  December  3 1 ,  2006  for  Alberta  Insurance 
Council,  a  Crown-controlled  corporation  consolidated  with  the  Ministry.  A 
public  accounting  firm  audits  the  Council. 

We  also  audited  the  financial  statements  of  the  following  entities  that  are 
not  consolidated  with  the  Ministry: 
For  the  year  ended  March  3 1 ,  2007: 

•  ARCA  Investments  Inc 


Other  entities 
consolidated  in 
Ministry  financial 
statements 


Entities  not 
consolidated  in 
Ministry  financial 
statements 
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•  Consolidated  Cash  Investment  Trust  Fund. 

•  Provincial  Judges  and  Masters  in  Chambers  (Registered)  Pension  Plan 

For  the  year  ended  December  3 1 ,  2006: 

•  Local  Authorities  Pension  Plan 

•  Management  Employees  Pension  Plan 

•  Public  Service  Management  (Closed  Membership)  Pension  Plan 

•  Public  Service  Pension  Plan 

•  Special  Forces  Pension  Plan 

•  Supplementary  Retirement  Plan  for  Public  Service  Managers 

3.5  Performance  reporting— Alberta  Heritage  Savings  Trust  Fund 
We  completed  reviews  of  the  Alberta  Heritage  Savings  Trust  Fund's 
quarterly  financial  statements. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Alberta  Indian  Tax  Exemption  program  limits 
Recommendation 

We  recommend  that  the  Ministry  of  Finance  assess  the  risk  of  paying 
tax  refunds  for  individuals  exceeding  the  tax-exempt  tobacco  limit  of 
the  Alberta  Indian  Tax  Exemption  program,  and  reduce  the  risk  if  it  is 
too  high. 

Background 

Exempt  from  tax  Under  the  Alberta  Indian  Tax  Exemption  program,  eligible  Indian 

consumers  are  exempt  from  paying  Alberta  tax  on  tobacco  products  bought 
on  Indian  reserves  in  Alberta  for  their  own  use.  There  is  an  exemption  limit 
of  400  grams  (two  cartons  of  cigarettes)  per  calendar  week  (Monday  to 
Sunday).  In  the  fiscal  year  ending  March  31,  2007,  the  Ministry  paid 
approximately  $30  million  to  retailers  under  this  program. 

Approximately  half  of  retailers  use  a  manual  paper  system  to  keep  track  of 
purchases  under  this  program;  the  other  half  uses  an  electronic  system.  The 
electronic  system,  with  a  one-day  time  lag,  identifies  individuals  who  have 
exceeded  their  weekly  limits.  Under  the  paper  system,  retailers  keep  and 
then  send  vouchers  to  the  Ministry  for  tax-exempt  refunds. 

The  Ministry's  audit  group  randomly  checks  retailers  to  ensure  retailers  are 
not  allowing  ineligible  consumers  to  purchase  tax-free  cigarettes.  The 
Ministry  takes  corrective  action  where  necessary. 


Two  systems — 
paper  and  electronic 
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Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  not  pay  refunds  to  retailers  for  purchases  in  excess  of 
an  individual's  weekly  tobacco  limit  of  400  grams. 


Exceeded  limit 


Overpayments  not 
detected 


Paper  system  may 
have  higher  risk 


Our  audit  findings 

Using  the  paper  system,  neither  the  retailer  nor  the  Ministry  can  easily 
detect  if  a  purchaser  of  tobacco  has  exceeded  his  or  her  weekly  limit.  For 
one  retailer  using  the  paper  system,  17  of  219  purchasers  had  exceeded 
their  weekly  limit,  and  one  person  had  exceeded  his  weekly  limit  by 
595  grams.  These  figures  were  based  on  all  the  vouchers  the  retailer  sent  to 
the  Ministry  over  a  two-week  period.  In  total,  over  a  two-week  period,  this 
retailer  exceeded  the  limit  by  2,295  grams  of  tobacco,  which  is  equal  to  a 
tax  refund  overpayment  of  $370.  Because  the  paper  system  does  not  track 
purchases  throughout  the  province,  individuals  could  buy  more  tobacco  at 
other  locations,  further  exceeding  the  limit. 

Neither  the  retailer  nor  the  Ministry  detected  these  overpayments.  The 
Ministry  did  not  detect  them  because  it  does  not  typically  review  the 
vouchers  from  the  paper  system  before  paying  refunds.  The  electronic 
system  would  have  detected  them. 

It's  not  clear  if  this  retailer  is  indicative  of  all  retailers  that  use  the  paper 
system,  but  there  appears  to  be  higher  risk  of  overpayment  with  the  paper 
system.  The  Ministry  needs  to  evaluate  this  risk  and  reduce  it  if  it  is  too 
high. 


Implications  and  risks  if  recommendation  not  implemented 

The  Ministry's  refunds  to  retailers  may  be  too  high. 

1.2  Journal  entries 
Recommendation 

We  recommend  that  the  Ministry  of  Finance  ensure  that  staff  properly 
approve  journal  entries.  We  also  recommend  that  the  Ministry  of 
Finance  properly  segregate  the  incompatible  functions  of  preparing 
and  approving  them. 


Journal  entries 
record  non-routine 
transactions 


Background 

Journal  entries  are  used  to  record  transactions  and  their  dollar  values  into 
the  general  ledger.  The  values  in  the  general  ledger  are  used  to  prepare  the 
financial  statements.  Journal  entries  can  be  used  to  reclassify  items,  correct 
errors  or  record  transactions  that  are  not  generated  automatically  through 
the  accounting  system.  Material  misstatements  of  financial  statements  due 
to  fraud  often  involve  the  manipulation  of  the  financial  reporting  process  by 
recording  inappropriate  or  unauthorized  journal  entries. 
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Criteria:  the  standards  we  used  for  our  audit 

Proper  financial  risk  management  requires  that  the  person  approving  a 
journal  entry  be  a  different  person  from  the  one  who  prepared,  batched,  or 
entered  the  journal  entry  into  the  financial  system.  Due  to  the  potential  risks 
of  journal  entries,  the  Ministry  should: 

•  ensure  that  someone  with  strong  accounting  knowledge  approves 
journal  entries,  and 

•  properly  segregate  incompatible  duties  of  preparing  and  approving 
journal  entries. 

This  ensures  that  at  least  two  people  see  each  journal  entry  and  reduces  the 
risk  of  error. 

Our  audit  findings 

We  tested  30  journal  entries  and  found  that  18  lacked  evidence  of  approval. 
The  Ministry  said  that  the  accounting  officer  will  spot  check  some  of  these 
entries  during  the  daily  balancing  process;  however,  this  does  not  include 
every  entry.  Therefore,  in  many  cases,  only  the  preparer  will  see  the  journal 
entry.  None  of  the  journal  entries  we  examined  were  inappropriate. 

Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  could  fail  to  detect  manipulation  of  the  financial  statements 
through  incorrect  or  fraudulent  journal  entries. 

1.3  Obtaining  assurance  on  third  party  service  providers 
Recommendation 

We  recommend  that  the  Tax  and  Revenue  Administration  Division  of 
the  Ministry  of  Finance  ensure  that  controls  over  Ministry  information 
assets  hosted  or  administered  by  third  party  service  providers  are 
documented  and  operating  effectively. 

Background 

Tax  and  Revenue  Administration  (TRA)  relies  on  its  computing 
environment  to  provide  complete,  accurate,  and  valid  data  for  use  in  the 
ongoing  business  activities  within  the  Ministry  of  Finance.  TRA  has 
outsourced  the  managed  operations  and  application  management  services  of 
its  main  financial  and  non-financial  information  systems  to  a  private  sector 
service  provider.  Outsourcing  can  be  an  efficient  and  effective  means  by 
which  to  obtain  necessary  information  technology  (IT)  services.  However, 
organizations  that  outsource  all  or  part  of  their  IT  infrastructure  or 
operations  are  still  responsible  for  ensuring  that  service  levels  are  met,  and 
that  there  are  appropriate  controls  over  the  security,  confidentiality, 
integrity,  and  availability  of  information  assets. 


Journal  entries  not 
approved 


Outsourced 
operations 
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Criteria:  the  standards  we  used  for  our  audit 

TRA  management  should  ensure  that  a  properly  documented  and  designed 
IT  general  control  environment  is  operating  effectively  throughout  the 
whole  organization,  including  outsourced  environments,  to  mitigate  any 
identified  or  inherent  risks. 

Our  audit  findings 

TRA  is  dependent  upon  their  main  service  provider  for  the  daily  operations 
of  financial  and  critical  business  systems. 

We  found  that  the  Ministry  follows  undocumented  control  processes  to 
ensure  that  third  party  service  providers  meet  contractual  and  service  level 
requirements.  We  were  unable  to  determine  if  the  undocumented  control 
processes  were  designed  adequately  to  mitigate  any  inherent  risks  in  the 
control  environment. 

We  were  unable  to  find  adequate  evidence  that  controls  in  place  were 
consistently  followed  and  operating  effectively  throughout  the  fiscal  year. 

TRA  has  drafted  a  service  assurance  process  to  monitor  the  main 
outsourced  vendor's  compliance  to  the  service  level  agreements  in  the 
contract  and  to  ensure  that  TRA  information  assets  remain  secure.  This 
service  assurance  process  had  not  commenced  as  of  March  31,  2007. 

Implications  and  risks  if  recommendation  not  implemented 

TRA  is  ultimately  responsible  for  the  confidentiality,  integrity,  and 
availability  of  its  information — even  if: 

1 .  it  has  outsourced  some  or  all  of  its  IT  control  environment,  and 

2.  controls  that  protects  its  information  are — even  partly — physically  and 
operationally  removed  from  its  direct  oversight. 

The  outsourced  environment  is  an  integral  part  of  TRA's  IT  control 
environment.  Without  procedures  to  ensure  that  service  providers  maintain 
sound  control  environments  TRA  cannot  depend  on  the  confidentiality, 
integrity  or  availability  of  its  important  business,  financial  or  other  sensitive 
information. 

1.4  Reliance  on  Canada  Revenue  Agency — implemented 
Background 

In  our  2003-2004  Annual  Report  (No.  27 — page  275),  we  recommended 
that  the  Tax  and  Revenue  Administration  division  of  the  Ministry  of 
Revenue  (now  Ministry  of  Finance)  justify  its  reliance  on  the  compliance 
audit  activities  of  the  Canada  Revenue  Agency  (CRA).  The  Ministry  relies 


Undocumented 
processes 


Service  assurance 
process  drafted 


Ministry  relies  on 
CRA 
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almost  completely  on  CRA's  compliance  audit  activities  for  corporate 
taxable  income.  And  it  had  not  obtained  information  from  CRA  on  its 
audits  of  small  and  medium-sized  enterprises  (SMEs). 

Our  audit  findings 

The  Ministry  implemented  the  recommendation.  It  obtained  information 
from  CRA  on  the  audit  results  and  audit  coverage  of  SMEs.  It  compared 
those  results  to  the  results  of  its  own  audit  activities  in  other  programs  and 
decided  that  it  would  not  be  cost  efficient  to  supplement  CRA's  audit 
activities.  The  Ministry  plans  to  request  this  information  yearly  from  CRA 
and  perform  the  same  analysis. 

The  Federal  Auditor  General  is  planning  to  audit  CRA's  compliance  audit 
activities  in  the  next  few  years.  We  will  stay  in  contact  with  them  and  may 
become  involved  in  that  audit.  When  the  results  of  the  audit  are  available, 
the  Ministry  should  have  more  information  with  which  to  assess  whether  it 
can  rely  on  CRA's  compliance  audit  activities.  We  will  then  reassess 
whether  we  should  make  another  recommendation. 

1.5  Monitoring  private  sector  pension  plans 

1.5.1  Compliance  monitoring  framework — implemented 
Background 

On  page  152  of  our  2003-2004  Annual  Report  (No.  14),  we  recommended 
that  the  Office  of  the  Superintendent  of  Financial  Institutions  ensure  that 
compliance  staff: 

•  promptly  review  and  follow-up  on  compliance  information  obtained 
from  private  sector  pension  plans 

•  receive  appropriate  training  to  effectively  discharge  their 
responsibilities 

On  page  152  of  our  2003-2004  Annua/  Report  (No.  15),  we  recommended 
that  the  Office  of  the  Superintendent  of  Financial  Institutions  improve  its 
processes  for  monitoring  private  sector  pension  plans  by: 

•  preparing  a  risk-based  annual  plan  for  its  compliance  monitoring 
program  that  identifies  resources  required  to  effectively  carry  out  the 
plan 

•  reporting  the  results  of  regulatory  activities  by  compliance  staff  to 
senior  management 

•  updating  its  policies  and  procedures  manual 


Obtained 
information  from 
CRA 
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Our  audit  findings 

Implemented  The  Office  has  implemented  these  recommendations.  It  now  requires  more 

pension  plans  to  submit  audited  financial  statements,  and  it  promptly 
reviews  all  submitted  information.  It  developed  and  implemented  a  formal 
competency  and  training  program,  and  there  is  now  adequate 
documentation  of  supervisory  review  and  involvement  in  the  compliance 
monitoring  process.  The  Office  prepares  a  risk-based  annual  plan  that  sets 
out  which  pension  plans  to  examine.  And  it  now  has  a  comprehensive 
policies  and  procedures  manual  to  guide  the  compliance  monitoring 
process. 

1.5.2  Requesting  additional  information — implemented 
Background 

On  page  156  of  our  2003-2004  Annual  Report  (No.  16),  we  recommended 
that,  for  high-risk  employer  pension  plans,  the  Office  of  the  Superintendent 
of  Financial  Institutions  obtain: 

•  assurance  from  pension  plan  auditors  on  the  plans'  compliance  with  the 
Employment  Pension  Plans  Act,  Regulation  and  plan  document 

•  infomiation  on  pension  plan  governance  structure  and  practices 

On  page  156  of  our  2003-2004  Annual  Report,  we  recommended  that  the 
Office  of  the  Superintendent  of  Financial  Institutions  obtain  audited  plan 
financial  statements  from  all  employer  pension  plans. 

Our  audit  findings 

Implemented  j^g  Office  has  implemented  these  recommendations.  It  confirms  that 

pension  plans  comply  with  legislation  through  on-site  examinations,  desk 
reviews,  and  ongoing  compliance  activities.  The  Office  encourages  pension 
plan  administrators  to  achieve  and  maintain  good  governance  practices,  and 
will  assess  a  plan's  governance  during  on-site  examinations.  If  it  sees 
evidence  of  poor  governance  in  plans  that  are  not  the  subject  of  an  on-site 
examination,  the  Office  will  review  governance  practices.  The  Office  now 
requires  pension  plans  whose  assets  meet  a  certain  threshold  to  submit 
audited  financial  statements. 


1.6  Alberta  Investment  Management 

Audit  of  investments         \ye  audited  the  investments  managed  by  Alberta  Investment  Management 

(AIM).  AIM  manages  investments  with  a  market  value  of  approximately 
$70  billion  for  clients  including  pension  funds,  the  Alberta  Heritage 
Savings  Trust  Fund,  endowment  funds  and  other  Alberta  government  funds 
and  entities.  It  manages  investments  in  both  pooled  and  segregated  funds. 
Investment  categories  include  fixed  income,  equities,  private  and  alternative 
investments.  Our  work  included  testing  of  internal  controls  over  the 
purchase,  sale  and  recording  of  investment  balances  and  income.  Our 
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review  of  internal  control  over  financial  reporting  included  an  audit  of  the 
Information  Technology  General  Computer  Controls. 

1 .6.1  Controls  over  derivative  contracts 
Recommendation  No.  25 

We  recommend  that  Alberta  Investment  Management  improve 
internal  controls  over  its  use  of  derivative  contracts  by: 

•  monitoring  the  credit  worthiness  of  approved  derivative 
counterparties 

•  obtaining  derivative  confirmations  from  counterparties 

•  tracking  missing  and  incomplete  derivative  confirmations 

•  confirming  the  details  of  forward  contracts  with  counterparties 


Extensive  use  of 
derivative  contracts 


Background 

Derivatives  are  financial  instruments  or  contracts  whose  value  is  derived 
from  the  value  of  an  underlying  security  or  asset.  AIM  uses  derivatives 
when  investing  in  equity,  fixed  income,  credit  and  foreign  currency 
markets.  AIM  uses  derivative  contracts  to  hedge  or  modify  foreign  currency 
exposure,  to  replicate  equity  or  bond  index  returns,  to  change  a  portfolio's 
(equity /bond)  asset  mix  and  to  provide  downside  market  protection.  AIM 
uses  many  types  of  derivative  contracts  including  interest  rate  and 
cross-currency  interest  rate  swaps,  forward  foreign  exchange  contracts, 
equity  index  swap  contracts,  credit  default  swap  contracts,  bond  index  swap 
contracts,  equity  index  futures  contracts  and  swap  option  contracts.  A  swap 
is  a  contractual  agreement  between  two  counterparties  to  exchange  a  series 
of  cash  flows. 


Swap  counterparties 
should  have  good 
credit  ratings 


The  swap 
confirmation  is  the 
legal  contract 


Missing  and 
incomplete  swap 
confirmations  must 
be  followed  up 


AIM  has  a  policy  of  only  engaging  in  swap  transactions  with  counterparties 
who  have  good  credit  ratings.  Counterparties  are  designated  as  approved  if 
they  have  the  required  credit  rating  and  they  have  signed  an  indemnity 
agreement  with  AIM. 

AIM  investment  traders  enter  into  swap  transactions  by  means  of  an 
unrecorded  telephone  order.  In  order  to  ensure  there  is  agreement  of  the 
terms  of  the  contract,  the  counterparty  sends  a  swap  confirmation  to  AIM. 
The  confirmation  is  the  legal  contract  for  the  swap  and  should  be  signed  by 
representatives  of  both  counterparties. 

The  investments  managed  include  hundreds  of  swap  contracts.  The  logging, 
monitoring  and  follow-up  of  missing  and  incomplete  swap  confirmations  is 
a  key  control  to  ensure  that  swap  confirmations  have  been  obtained  and  that 
they  are  accurate,  properly  authorized  and  legally  valid. 
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Criteria:  the  standards  we  used  for  our  audits 

AIM  should  get  signed  confirmations  from  all  the  parties  it  enters  into  swap 
transactions  with.  Both  parties  to  the  transaction  should  sign  the 
confirmation.  Missing  confirmations  should  be  followed  up  and  monitored. 


Missing  and 
incomplete  swap 
confirmations  are 
not  followed  up  on  a 
timely  basis 


Our  audit  findings 

•  The  listing  of  approved  swap  counterparties  included  a  counterparty 
with  a  credit  rating  below  the  minimum  requirement; 

•  30%  of  the  equity  index  contracts  selected  for  testing  did  not  have 
completed  confirmations,  some  of  which  were  outstanding  for  more 
than  7  months; 

•  AIM  did  not  keep  a  complete  listing  of  missing  and  incomplete  swap 
confirmations; 

•  Forward  contracts  were  not  being  confirmed. 


Risk  of  losses 


Implications  and  risks  if  recommendation  not  implemented 

AIM  may  enter  into  swap  transactions  with  counterparties  without  good 
credit  ratings,  exposing  AIM  clients  to  potential  losses  from  business 
failures.  If  swap  confirmations  are  not  completed  promptly  for  all  swap 
contracts,  and  missing  confirmations  followed  up  and  monitored,  there  may 
be  contracts  with  disputed  terms,  exposing  AIM  clients  to  risk  of  loss. 

1.6.2  Controls  over  private  investments 
Recommendation 

We  recommend  that  Alberta  Investment  Management  improve 
internal  controls  over  private  equity  investments  by: 

•  confirming  the  receipt  of  funds  disbursed  to  private  equity 
partnerships 

•  directing  funds  received  to  a  separate  private  investment 
administration  group  for  deposit  and  recording  of  transactions 

•  reconciling  investment  interests  in  private  equity  partnerships  to 
audited  partnership  financial  statements 


AIM  makes  private 
equity  investments 


Background 

Investments  in  private  equities  are  primarily  held  through  interests  in 
limited  partnerships  in  which  the  Crown  holds  direct  ownership  or  through 
a  Crown  corporation  which  holds  the  Crown's  partnership  interest.  These 
partnerships  may  be  located  in  Canada,  the  United  States  or  outside  North 
America.  Funds  are  authorized  for  investment  in  private  equity  pools  by  the 
AIM  Investment  Committee  but  will  not  be  disbursed  until  a  request  is 
received  from  the  partnership.  These  investments  are  managed  internally 
for  AIM  by  private  equity  portfolio  managers.  Cash  disbursements  to  the 
partnerships  and  cash  receipts  back  from  the  partnerships  are  initiated, 
collected  and  recorded  by  the  private  equity  portfolio  managers.  Externally 
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Lack  of  segregation 
of  duties  between 
private  equity 
portfolio 
management  and 
administrative 
functions 


audited  financial  statements  arc  prepared  for  these  partnerships  annually 
and  are  obtained  by  AIM. 

Criteria:  the  standards  we  used  for  our  audits 

•  Funds  disbursed  to  private  equity  partnerships  should  be  confirmed. 

•  Segregation  of  duties  should  be  maintained  between  the  portfolio 
management  and  administrative  functions  for  private  equity 
investments. 

•  Investments  in  private  equities  should  be  reconciled  to  externally 
prepared  financial  statements  on  a  regular  basis 

Our  audit  findings 

AIM  private  equity  portfolio  managers  do  not  confirm  the  receipt  of  funds 
paid  to  the  private  equity  partnerships.  Cash  distributions  from  the 
partnerships  are  directed  to  the  AIM  private  equity  portfolio  managers  for 
deposit  and  recording  of  transactions  rather  than  to  the  AIM  investment 
administration  group.  The  lack  of  segregation  of  duties  between  the  private 
equity  portfolio  management  function  and  the  administrative  functions  over 
funds  payment,  funds  deposit  and  transaction  recording  is  inconsistent  with 
the  segregation  of  duties  used  for  other  types  of  investment  transactions  at 
AIM.  Although  audited  financial  statements  are  received  for  each  private 
equity  investment  approximately  six  months  after  their  year  end,  the 
partnership  capital  accounts  from  these  financial  statements  are  not 
compared  to  AIM  investment  records. 


Risk  of  fraud  or 
error 


Implications  and  risks  if  recommendation  not  implemented 

Improper  segregation  of  incompatible  functions  is  a  primary  cause  of  fraud 
and  error.  Failure  to  confirm  assets  with  independently  prepared  records 
unnecessarily  delays  identifying  any  fraud  or  error. 

1.6.3  Access  and  change  management  controls 

This  recommendation,  first  made  to  AIM  in  a  2004  management  letter,  is 
repeated  since  the  rate  of  progress  in  implementation  is  too  slow. 

Recommendation 

We  recommend  that  Alberta  Investment  Management  establish  access 
and  change  management  controls  for  its  inv  estment-related  computer 
information  systems. 


Criteria:  the  standards  we  used  for  our  audits 

The  organization  should  have  documented  policies  and  control  procedures 
so  that  all  access  to  all  investment-related  and  support  systems  is  properly 
requested,  approved,  implemented,  reviewed  regularly,  and  terminated 
when  no  longer  required. 
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The  organization  should  also  have  documented  policies  and  control 
procedures  to  ensure  that  all  changes  to  all  investment-related  and  support 
systems  are  properly  requested,  tested  and  approved  before  being  migrated 
to  the  production  systems,  and  that  there  is  appropriate  segregation  between 
the  requestor,  developer,  tester,  and  implementer  of  all  changes. 

Our  audit  findings 

We  did  not  find  adequate  controls  to  ensure  that  all  access  is  appropriate, 
that  all  user  accounts  within  all  investment  related  applications  are  regularly 
reviewed  for  ongoing  business  need  and  that  the  access  is  appropriate  for 
the  job  function.  Also,  we  were  unable  to  obtain  and  review  a  documented 
change  management  control  process — we  sought  evidence  that  all  changes 
to  systems  related  to  or  supporting  investment  management  were  requested 
by  an  approved  person,  were  properly  tested  and  approved  to  be  moved  to 
the  production  system,  and  that  there  was  appropriate  segregation  between 
the  requestor,  approver,  developer,  tester  and  implementer  of  the  changes. 

Implications  and  risks  if  recommendation  not  implemented 

Without  appropriate  Infonnation  Technology  controls,  AIM  may  not  be 
able  to  rely  on  its  data,  applications  and  systems  to  provide  complete, 
accurate  and  valid  information  that  is  appropriately  restricted. 

2.  Performance  reporting 

Unqualified  reports  Qur  auditor's  reports  on  the  March  3 1 ,  2007  financial  statements  of  the 

Ministry  and  the  Department  of  Finance  are  unqualified. 

No  exceptions  noted         We  found  no  exceptions  when  we  completed  our  specified  auditing 

procedures  on  the  Ministry's  performance  measures. 

3.  Other  entities  that  report  to  the  Minister 
3.1  Systems — Alberta  Treasury  Branches 

3.1 .1      Processes  to  confirm  compliance  with  Alberta  Finance  Guideline 
Recommendation  No.  26 

We  recommend  that  Alberta  Treasury  Branches: 

•  improve  the  processes  for  confirming  its  compliance  with  the 
Alberta  Finance  Outsourcing  of  Business  Activities,  Functions  and 
Processes  Guideline. 

•  review  and  assess  which  ATB  staff  should  be  responsible  for 
ensuring  compliance  with  the  Alberta  Finance  Outsourcing  of 
Business  Activities,  Functions  and  Processes  Guideline. 


Access  and  change 
management 
controls  for 
computer 

information  systems 
are  not  adequate 
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Executives  confirm 
compliance  with 
Act.  Regulation  and 
Guidelines 


Background 

ATB  has  a  process  in  place  to  ensure  it  complies  with  the  Alberta  Treasury 
Branches  Act,  Alberta  Treasury  Branches  Regulation,  and  Alberta  Finance 
guidelines.  Executives  must  confirm — through  a  compliance  certificate- 
that  ATB  is  complying  with  the  Act,  Regulation,  and  guidelines.  In  total, 
ATB  prepares  34  certificates  of  its  compliance  with  the  Act.  Regulations 
and  guidelines. 


ATB  must  follow 
Minister  of  Finance 
Guideline  on 
outsourcing 


The  Minister  of  Finance  issued  a  guideline  titled,  Outsourcing  of  Business 
Activities,  Functions  and  Processes  Guideline  (the  Guideline)  on 
July  19,  2004.  It  details  the  Minister  of  Finance's  expectations  for  ATB 
when  considering  outsourcing  business  activities.  ATB  has  developed  an 
Outsourcing  Policy  (the  Policy)  that  matches  the  Guideline.  In  addition  to 
the  Guideline  and  Policy,  ATB  has  developed  a  Financial  Sourcing 
Guidebook  (the  Guidebook)  that  applies  to  all  significant  outsourcing 
arrangements. 


Guideline  provides 
direction  on 
outsourcing 


The  Guideline  provides  direction  on  accountability  and  control,  materiality 
assessments  for  outsourcing  arrangements,  and  risk  management  programs 
for  outsourcing  arrangements.  The  Guideline  contemplates  a  transition 
period  for  ATB  to  bring  outsourcing  arrangements — already  existing  when 
the  Guideline  was  issued — into  compliance  with  the  Guideline. 


ATB  prepared  a  compliance  certificate  for  the  Guideline  in  August  2006. 
The  certificate  identified  four  material  outsourcing  arrangements. 


We  examined 
outsourcing 
compliance 
certificate 


We  examined  ATB's  process  for  making  its  assertion  in  one  of  the 
34  compliance  certificates.  Our  work  focused  on  the  Alberta  Finance 
Outsourcing  of  Business  Activities,  Functions  and  Processes  Guideline. 


Criteria:  the  standards  we  used  for  our  audit 

ATB  should  have  systems  and  processes  in  place  to  ensure  it  complies  with 
the  Guideline,  including  systems  and  processes  to: 

•  evaluate  the  risks  of  all  existing  and  proposed  outsourcing 
arrangements; 

•  assess  the  materiality  of  outsourcing  arrangements; 

•  implement  a  program  for  managing  and  monitoring  risks,  depending  on 
the  materiality  of  the  outsourcing  arrangements;  and 

•  ensure  that  ATB's  Board  of  Directors  receives  sufficient  information  to 
meet  its  duties  under  the  Guideline. 


ATB  should  clearly  assign  responsibility  for  ensuring  compliance  with  the 
Guideline. 
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Systems  and 
processes  are  not 
operating  effectively 


Our  audit  findings 

Processes  for  confirming  compliance 

ATB's  systems  and  processes  underlying  the  assertion  in  the  compliance 
certificate  are  not  operating  effectively  for  the  Outsourcing  of  Business 
Activities,  Functions  and  Processes  Guideline. 


Risk  assessments  not 
documented 


Materiality 
assessment  not  done 
or  not  complete 


Evaluating  risk — there's  insufficient  evidence  that  ATB  evaluated  the 
risks  of  its  existing  and  proposed  outsourcing  arrangements.  There's 
also  insufficient  evidence  that  it  evaluated  risks  for  all  material 
outsourced  arrangements,  as  the  Guideline  requires. 

Assessing  materiality — ATB  has  developed  a  process  to  assess  if  an 
outsourced  arrangement  is  material.  It  did  a  materiality  assessment  for 
a  material  outsourcer  with  a  contract  finalized  after  the  Guideline  was 
issued,  but  that  assessment  was  not  approved  by  ATB  management. 
ATB  cannot  show  that  it  used  its  materiality-assessment  process  for  all 
of  its  outsourcing  arrangements  entered  into  since  the  Guideline  came 
into  effect. 


Risk  management 
program  not  evident 


The  signed  compliance  certificate  included  four  material  outsourcers 
identified  by  Information  Technology  (IT)  staff.  However,  several 
other  ATB  business  units  use  outsourced  arrangements  that  the  IT  staff 
had  not  considered  when  assessing  compliance  with  the  Guideline. 
These  arrangements  include  those  relating  to: 

•  MasterCard, 

•  Electronic  Banking  which  includes  Online  banking  and  Interac, 
and 

•  Central  Services  (application  systems  for  Registered  Income 
Funds  and  Registered  Education  Savings  Plans) 

Managing  and  monitoring  risk — there's  insufficient  evidence  that 
ATB  implemented  a  program  to  manage  and  monitor  risks  for  material 
outsourced  service  providers,  other  than  the  governance  program  IT 
implemented  for  the  outsourcer  that  administers  ATB's  banking 
system.  Further,  for  this  arrangement,  ATB  was  unable  to  show  that  it 
met  all  requirements  under  the  Risk  Management  Program  for  Material 
Outsourcing  Arrangement  section  of  the  Guideline. 

The  Policy  also  states  the  Sourcing  Assurance  group  will 
semi-annually  assess  compliance  with  best  practices  outlined  in  the 
Guidebook  and  identify  internal  processes  that  require  attention.  This 
monitoring  process  is  not  occurring. 
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Board  of  Directors 
does  not  receive 
adequate  reporting 


Informing  the  Board  of  Directors — there's  no  evidence  that  the 
Board  of  Directors  receives  appropriate  and  sufficient  information  to 
meet  its  duties  under  the  Guideline  and  Policy.  The  Guideline  states 
that  the  Board  should  review  a  list  of  all  ATB's  material  outsourcing 
arrangements  and  other  relevant  reports  when  appropriate.  The  Policy 
states  that  "Management  will  also  provide  annual  summary  reporting 
on  the  health  of  each  outsourcing  relationship  previously  approved  by 
the  Audit  Committee  and  the  Board  of  Directors." 


Responsibility  tor 
Guideline 
compliance  should 
be  shared  by  IT  and 
business  units 


Assigning  responsibility  for  compliance 

Responsibility  for  compliance  with  the  Guideline  was  assigned  to  IT. 
However,  assessing  compliance  requires  a  joint  effort  of  IT  and  the 
business  units.  Many  ATB  business  units — in  addition  to  IT — use 
outsourcing.  For  the  four  material  outsourcers  the  compliance  certificate 
identifies,  IT  is  not  fully  responsible  for  managing  three  of  the  outsourced 
business  processes.  At  least  partial  responsibility  for  those  arrangements  is 
with  other  ATB  business  units. 


Implications  and  risks  if  recommendation  not  implemented 

ATB  is  ultimately  accountable  for  all  outsourced  activities.  Without  proper 
controls  and  processes,  ATB  may  be  unable  to  rely  on  the  confidentiality, 
availability,  completeness,  and  validity  of  ATB  client  and  financial  data 
that  outsourcers  handle. 

3.1 .2      Information  technology  control  framework 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  implement  an 
effective  organization-wide  information  technology  (IT)  control 
framework. 


IT  control 
framework  is  a 
critical  element  in 
ensuring  proper  IT 
controls 


Background 

An  IT  control  framework  can  be  a  critical  element  in  ensuring  proper 
controls  over  ATB's  information  and  the  systems  and  processes  that  create, 
store,  manipulate,  and  retrieve  ATB's  client  and  financial  data.  Such  a 
control  framework  can  help  Alberta  Treasury  Branches  bridge  the  gap 
between  control  requirements,  technical  issues,  and  business  risks. 

A  control  framework  gives  management  and  IT  users  a  set  of  generally 
accepted  measures,  indicators,  processes  and  best  practices  to  help  them 
maximize  IT  benefits  with  appropriate  IT  controls.  Organizations  can 
mitigate  risks  by  using  a  control  framework  to  develop  clear  IT  policies  and 
good  practices  for  IT  controls. 
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Criteria:  the  standards  we  used  for  our  audit 

To  implement  an  effective  organizational-wide  IT  control  framework,  ATB 
should: 

1 .  identify  and  adopt  an  organization-wide  IT  control  framework. 

2.  do  an  organization-wide  risk  assessment  to  identify  risks  to  ATB 
information  assets,  which  IT  controls  can  mitigate. 

3.  design  and  implement  adequate  controls  to  mitigate  the  risks. 

4.  assess  the  operating  effectiveness  of  IT  controls. 

5.  implement  a  process  to  sustain  IT  controls  over  the  long-term  and 
periodically  review  the  controls  for  design  adequacy  and  operating 
effectiveness. 


ATB  selected  a 
framework  but  still 
must  implement  the 
framework 


Our  audit  findings 

ATB  has  chosen  Control  Objectives  for  Information  and  related 
Technology  (COBIT)  as  its  IT  control  framework,  however  the  framework 
has  not  been  fully  implemented  by  ATB. 


ATB  has  started 
designing  and 
implementing  IT 
controls 


ATB  has  not  completed  an  organization-wide  IT  risk  assessment.  As  a 
result,  ATB  cannot  clearly  identify  and  support  its  decision  on  which  IT 
controls  can  best  mitigate  its  risks. 

ATB  has  recently  started  designing  and  implementing  its  IT  control 
framework  which  will  assist  ATB  in  mitigating  known  IT  risks  in  its 
computing  environment.  However,  ATB  currently  does  not  have: 

•  processes  in  place  to  ensure  that  IT  controls  are  properly  designed  and 
implemented,  and  operating  effectively. 

•  a  process  to  sustain  its  IT  controls  over  the  long-term  and  improve  IT 
control  design  adequacy  and  operating  effectiveness. 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  appropriate  IT  control  framework,  ATB  cannot  identify  all  risks 
to  its  IT  assets,  and  cannot  effectively  manage  or  mitigate  all  risks.  Nor  can 
it  show  that  it  has  done  so.  As  a  result,  the  entity  cannot  rely  on  its  data, 
applications,  or  systems  to  provide  complete,  accurate  and  valid 
information.  Ultimately,  it  cannot  ensure  that  it  meets  its  business  goals 
effectively. 
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3.1.3     General  loan  loss  allowance 
3.1.3.1    Model  validation 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  annually  validate  the 
general  loan  loss  allowance  (GLLA)  model  against  actual  loan-loss  data 
and  modify  the  model  based  on  the  results  of  the  validation.  We  further 
recommend  that  ATB  report  the  validation  results  and  the  controls  in 
the  model  to  the  Audit  Committee  so  it  can  assess  the  reasonableness  of 
the  GLLA  estimate. 

Background 

ATB's  GLLA  policy  states,  "after  calculating  the  total  proposed  general 
allowance,  tests  will  be  performed  to  confirm  the  reasonableness  of  the 
calculations  including... review  of  the  allowance  against  actual  loss  results 
over  the  past  two-year  cycle,  back  testing  allowance  estimates  relative  to 
actual  results." 

Criteria:  the  standards  we  used  for  our  audit 

ATB  should 

•  regularly  measure  the  model's  effectiveness  against  the  data  it  is 
designed  to  estimate — in  this  case,  actual  loan  losses. 

•  use  the  results  of  this  analysis  to  refine  the  model  and  communicate  the 
results  and  refinements  to  oversight  bodies,  in  this  case,  the  Audit 
Committee. 

The  Audit  Committee  should: 

•  understand  ATB's  GLLA  estimate,  including  the  data  and  assumptions 
in  the  GLLA  estimate. 

•  understand  management's  processes  and  controls  for  ensuring  the 
accuracy  and  validity  of  the  GLLA  model  results  and  be  satisfied  that 
the  estimate  is  based  on  realistic  assumptions,  which  are  regularly 
updated. 

•  obtain  from  management,  at  least  annually,  a  retrospective  analysis  as 
to  how  historical  GLLA  estimates  have  compared  with  actual  results. 
This  would  include  an  assessment  of  actual  amounts  and  the  events  that 
caused  them  to  differ  from  estimates. 


Estimates  need  to  be 
compared  to  actual 
results 
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Estimates  not 
compared  to  actual 
results  on  an  annual 
basis 


Our  audit  findings 

Comparing  model  estimates  to  actual  loan  losses,  refining  the  model 
and  communicating  the  results 

ATB  does  not  annually  compare  its  actual  loan-loss  experience  to  the 
GLLA.  The  last  analysis  was  completed  in  November  2005,  when  it 
analyzed  loan-loss  data  for  the  six  quarters  ended  March  2003.  ATB  did  not 
communicate  the  results  of  the  November  2005  analysis  to  the  Audit 
Committee. 


Review  of  analysis 
not  required  by 
management  or 
Audit  Committee 


While  the  November  2005  analysis  was  factored  into  the  new  GLLA  model 
implemented  in  2006-07,  the  new  GLLA  policy  does  not  require 
management  or  the  Audit  Committee  to  review  such  analysis.  Nor  does  it 
require  ATB  to  refine  the  model  if  it  finds  significant  differences  between 
the  GLLA  estimate  and  actual  losses  or  communicate  those  refinements  to 
the  Audit  Committee. 


New  policy 
approved  in  August 
2006 


The  Audit  Committee  role 

The  Audit  Committee  approved  the  General  Loan  Loss  Allowance  policy  at 
its  August  2006  meeting.  The  meeting  included  an  overview  from  ATB 
management  for  the  Audit  Committee  on  how  the  policy  was  to  be  applied, 
including  the  data  and  assumptions  the  model  uses.  This  overview  provided 
the  Audit  Committee  with  a  basic  understanding  of  the  estimation  process 
and  the  data  and  assumptions  used  in  the  model. 


Audit  Committee 
does  not  receive 
reporting  on 
historical  losses 
compared  to 
estimates 


The  Audit  Committee  has  not  received  retrospective  reporting  from 
management  on  the  actual  results  compared  to  the  estimated  GLLA  and 
reporting  on  the  events  that  caused  the  actual  results  to  differ  from  the 
estimates. 

Implications  and  risks  if  recommendation  not  implemented 

Without  doing  an  annual  analysis  of  the  GLLA  estimate-to-actual  losses, 
ATB  cannot  measure  the  model's  effectiveness.  Without  such  analysis, 
those  in  oversight  roles  do  not  have  sufficient  information  to  understand  the 
validity  of  the  GLLA  estimate  or  the  need  to  improve  the  model's  accuracy. 


Unqualified  opinions 
for  ATB  and  its 
subsidiaries' 
financial  statements 
and  compliance 
audits 


3.2  Performance  reporting — Alberta  Treasury  Branches 

ATB — we  issued  unqualified  auditor's  opinions  for  all  of  the  financial 
statement  audits  we  completed  during  the  year  for  ATB  and  its  subsidiaries 
listed  in  section  3.2  of  Scope.  A  public  accounting  firm  issued  unqualified 
auditors'  reports  for  the  compliance  audits  for  these  subsidiaries. 
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Five  remaining 
recommendations 
from  our  2005  report 


3.3  Systems — Alberta  Securities  Commission 
3.3.1      Enforcement  system — implemented 
Background 

Last  year,  we  reported  that  the  Alberta  Securities  Commission  had 
responded  effectively  to  our  2005  recommendations  to  improve  its  systems 
for  enforcement,  conflicts  of  interest  and  governance.  Five  of  our  ten 
recommendations  were  implemented  and  satisfactory  progress  was  made  on 
the  remainder.  This  year,  our  follow-up  audit  satisfied  us  that  the 
remaining  five  recommendations  have  been  implemented. 


All 

recommendations 
now  implemented 


Our  audit  findings 

The  Commission  has  now  fully  implemented  all  recommendations  arising 
from  our  2005  audit.  Our  findings  on  the  status  of  the  5  remaining 
recommendations  now  follow: 


Enforcement  manual 
developed 


Review  and  clarification  of  policies  and  guidelines — implemented 

An  enforcement  procedures  manual  was  developed.  We  reviewed  the 
manual  and  found  it  complete,  reasonable  and  appropriate.  We  also 
reviewed  enforcement  files  and  concluded  that  enforcement  activities 
complied  with  the  manual. 


Key  performance 
indicators  are 
tracked 


Measurement  of  enforcement  program  performance — implemented 

A  well-designed  system  of  tracking  key  performance  indicators  has  been 
developed  and  is  being  refined  as  the  Commission  continues  to  investigate 
how  other  enforcement  agencies  measure  performance.  Broader  national 
performance  indicators  contemplated  by  the  Canadian  Securities 
Administrators  have  not  yet  developed  sufficiently  to  provide  value  to  the 
Commission. 


Potential  conflict  of 
interest  managed 
appropriately 


Monitoring  compliance  with  conflict-of-interest  policies — 
implemented 

Potential  conflicts  of  interest  by  Members  and  employees  are  being 
managed  appropriately  and  in  accordance  with  an  updated  policy. 
Members  and  employees  provide  disclosure  statements  of  securities  trading 
activity  to  the  Commission  Chair  (for  Members)  and  the  Executive  Director 
(for  employees).  Disclosure  statements  are  routinely  examined  and 
considered  in  the  context  of  ongoing  enforcement  matters.  Potential 
conflicts  are  followed  up  and  resolved. 
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Strengthening  conflict-of-interest  policies — implemented 

A  strong  conflict-of-interest  policy  has  been  developed  and  implemented. 
Disclosure  requirements  for  securities  trading  by  Members  and  employees 
are  clearly  defined.  Prior  to  the  commencement  of  an  enforcement  hearing, 
Members  must  complete  a  declaration  that  they  have  no  conflict  of  interest 
with  respect  to  a  matter  to  be  heard. 

Assessment  of  enforcement  system's  internal  controls — implemented 

Regular  and  frequent  meetings  on  enforcement  issues  are  held  at 
operations,  management  and  executive  levels.  Meetings  are  documented, 
and  matters  are  resolved  and  signed  off  at  appropriate  levels.  The 
Commission's  internal  reporting  system  tracks  key  activities  and  provides 
automated  diary-date  reminders  as  required.  Periodic  independent  reviews 
of  the  enforcement  system  are  planned.  The  Executive  Director  provides 
monthly  updates  to  Members  on  enforcement  activities. 

3.3.2      Hosting  and  working  sessions  policies — progress  report 
Background 

On  page  198  of  our  2004-2005  Annual  Report,  we  recommended  that  the 
Alberta  Securities  Commission  update  policies  and  improve  controls  over 
hosting  and  working  session  expenses. 

Management  actions 

The  Human  Resources  Committee  approved  the  hosting  and  working 
sessions  policies  in  December  2006.  We  will  test  the  controls  in  the  next 
audit  cycle. 

3.4  Performance  reporting — other  entities 

We  issued  unqualified  auditor's  reports  for  all  of  the  financial  statement 
audits  we  completed  during  the  year  for  the  entities  listed  in  section  3.4  of 
Scope. 

3.5  Performance  reporting — Alberta  Heritage  Savings  Trust  Fund 

As  requested  by  the  Ministry,  we  provided  interim  review  reports  on  the 
Alberta  Heritage  Savings  Trust  Fund's  quarterly  financial  statements  to  the 
Minister  of  Finance.  The  reports  say  that  we  are  not  aware  of  any  material 
changes  that  are  needed  for  these  financial  statements  to  meet  Canadian 
generally  accepted  accounting  principles. 


New 

conflict-of-interest 
policy 


Stronger  internal 
controls 


Unqualified  reports 
for  other  entities 
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Summary:  what  we  found  in  our  audits 

Systems 

The  Department  should: 

•  improve  how  it  monitors  and  enforces  compliance  with  its  information 
security  policy — seepage  105. 

•  get  regular  assurance  over  its  outsourced  information  technology 
environment — see  page  106. 

•  improve  its  controls  over  access  and  changes  to  the  system  that  pays 
physicians — see  page  107. 

Performance  reporting 

Our  auditor's  reports  on  the  Ministry  and  Department  financial  statements  are 
unqualified.  We  did  not  report  any  exceptions  on  the  results  of  applying  specified 
procedures. 


Other  entities  that  report  to  the  Minister 

Systems 

•  Capital  Health  should  review  its  underlying  business  processes  to  ensure  that 
it  has  reliable,  accurate  and  timely  financial  information  to  prepare  its 
financial  statements — see  page  1 10. 

•  Calgary  Health  Region  should  improve  its  controls  over  its  computer  systems 
and  follow  its  policy  when  awarding  contracts  for  consulting  services — see 
page  1 14. 

•  Alberta  Cancer  Board  should  improve  its  process  to  remove  access  to  its 
computer  systems  for  terminated  employees — see  page  115. 

•  Alberta  Alcohol  and  Drug  Abuse  Commission  should  document  and  follow  an 
information  technology  control  framework — see  page  1 16. 

Performance  reporting 

1 .  Our  auditor's  report  on  the  Alberta  Alcohol  and  Drug  Abuse  Commission's 
financial  statements  is  unqualified. 

2.  We  issued  unqualified  auditor's  opinions  on  the  financial  statements  of  the  six 
Health  Authorities,  two  Provincial  Boards,  and  the  Health  Quality  Council 
that  we  audit. 

3.  The  appointed  auditors  of  the  three  Health  Authorities  we  don't  audit  issued 
unqualified  auditor's  reports  on  their  financial  statements. 
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Overview  of  the  Ministry 


Ministry  entities 


3  core  businesses 


Ministry  received 
$3.1  billion 


Ministry  spent 
$10.7  billion 


The  Ministry  consists  of  the  Department  of  Health  and  Wellness,  the  Alberta 
Alcohol  and  Drug  Abuse  Commission,  the  nine  Health  Authorities,  the  Alberta 
Cancer  Board,  the  Alberta  Mental  Health  Board  and  the  Health  Quality  Council. 

The  Ministry's  2006-2009  business  plan  identifies  three  core  businesses: 

•  advocate  and  educate  for  healthy  living 

•  provide  quality  health  and  wellness  services 

•  lead  and  participate  in  continuous  improvements  in  the  health  system 

The  Ministry  collected  $953  million  in  premiums  and  fees  in  2006-2007,  received 
$1,590  million  from  the  Government  of  Canada,  had  an  equity  increase  of 
$74  million  from  Health  Authorities  and  Health  Boards,  and  other  income  of 
$420  million. 

The  Ministry  spent  $10.7  billion  in  2006-2007,  for  the  following  services: 


For  more  detail  on  the  Ministry,  visit  its  website  at  www.health.gov.ab.ca. 

Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  Department's  general  computer  controls. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  Department  for  the 
year  ended  March  31,  2007.  We  completed  specified  auditing  procedures  on 
the  performance  measures  in  the  Ministry's  2006-2007  annual  report. 

3.  Other  entities  that  report  to  the  Minister 

We  audited  the  financial  statements  for  the  year  ended  March  31,  2007,  of  the 
following  other  entities  that  report  to  the  Minister: 

•  Alberta  Alcohol  and  Drug  Abuse  Commission 

•  Alberta  Cancer  Board 

•  Alberta  Mental  Health  Board 

•  Calgary  Health  Region,  and  Carewest,  its  wholly-owned  subsidiary 

•  Capital  Health,  and  Capital  Care  Group  Inc.,  its  wholly-owned  subsidiary 

•  Chinook  Regional  Health  Authority 

•  East  Central  Health 


(billions  of  dollars) 


Health  Authorities 
Physician  Services 
Blue  Cross  Benefit  Program 
All  other 


$  7.3 
2.0 
.6 
.8 
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•  Northern  Lights  Health  Region 

•  Peace  Country  Health 

For  the  other  entities  we  audit  that  report  to  the  Minister,  we  examined  general 
computer  controls,  processes  to  sole-source  contracts,  and  processes  to 
maintain  accurate  accounting  records. 

Health  authorities         vVe  reviewed  the  auditor's  reports  and  management  letters  of  three  Health 
we  don't  audit  ,    ,,     ...  ,     .  .. 

Authorities  that  we  don  t  audit: 

•  Aspen  Regional  Health  Authority 

•  David  Thompson  Health  Region 

•  Palliser  Health  Region 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Unauthorized  network  connections 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  improve  its 
procedures  to  enforce  and  monitor  compliance  with  its  Information 
Security  Policy. 


Requirements  for 
connecting  other 
computers  to  the 
Department's 
systems 


Background 

The  Department's  Information  Security  Policy  states  that  laptops  and  other 
network  equipment,  such  as  wireless  access  points,  must  meet  its  security 
requirements  before  connecting  to  its  network.  The  Policy  also  states  that  the 
Department  must  be  aware  of,  and  approve,  all  access  to  its  systems.  Products 
are  readily  available  that  can  evaluate  computers  and  network  equipment  to 
ensure  that  they  comply  with  security  restrictions  before  they  are  allowed  to 
connect  to  a  computer  network.  The  Government  of  Alberta  Wireless  LAN 
Access  Security  Policy  also  states  "regular  detection  and  testing  of  access 
points  is  required...". 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should: 

•  prevent  unauthorized  computers  and  network  equipment  from  connecting 
to  its  network. 

•  monitor  its  offices  for  unauthorized  wireless  equipment  and  locate  and 
deactivate  it. 

•  ensure  that  computers  and  network  equipment  that  connect  to  its  network 
comply  with  the  Department's  security  policy. 
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Department  tests 
but  doesn't 
follow  up  on  the 
findings 


Our  audit  findings 

The  Department  has  no  automated  preventative  controls  in  place  to  ensure 
only  authorized  equipment  connects  to  its  network.  Instead,  it  conducts 
manual  ad  hoc  reviews  of  equipment  connected  to  the  network,  and  has 
detected  unauthorized  devices.  But  because  of  the  nature  of  these  reviews,  the 
Department  is  unable  to  respond  in  a  timely  manner  to  an  unauthorized  device 
connecting  to  the  network.  In  summary,  the  Department  does  not  have 
processes  in  place  to  ensure  that  devices  that  connect  to  its  network  comply 
with  its  security  policy. 


Unauthorized 
individuals  could 
access  data 


Recognizing  the  need  to  safeguard  its  resources,  the  Department  has  hired  a 
service  provider  to  investigate  alternative  solutions. 

Implications  and  risks  if  recommendation  not  implemented 

Unauthorized  devices  could  expose  the  Department's  information  to 
unauthorized  individuals. 

1.2  Outsourced  environment 
Recommendation  No.  27 

We  recommend  that  the  Department  of  Health  and  Wellness  obtain 
regular  assurance  that  outsourced  information  and  technology  is  properly 
controlled. 


Department 
outsources  its 
computer  systems 


Ways  to  test  the 
service  provider's 
controls 


Background 

The  Department  uses  two  service  organizations  to  maintain  its  computer 
systems.  However,  the  Department  is  ultimately  responsible  for  the 
confidentiality  and  integrity  of  its  information — even  though  the  controls  that 
protect  its  information  are,  at  least  partly,  physically  and  operationally 
removed  from  its  direct  control.  The  outsourced  environment  is  an  integral 
part  of  the  Department's  information  technology  control  environment. 
Application  and  business  process  controls  are  only  reliable  if  the  general 
control  environment  in  which  applications  run  is  sound.  Weak  general  controls 
can  make  well-designed  controls  for  applications  and  business  processes 
ineffective  and  permit  unauthorized  access  to  critical  data. 

The  Department  can  obtain  assurance  that  internal  controls  have  not  been 
compromised  through  a  Trust  Services  review  or  a  Canadian  Institute  of 
Chartered  Accountants  section  5970  review,  which  provides  an  opinion  on  the 
design,  effective  operation  and  continuity  of  control  procedures  at  a  service 
organization.  Between  complete  reviews  (normally  done  every  two  to  three 
years),  organizations  can  get  ongoing  assurance  over  the  outsourced 
environment. 
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In  October  2004,  the  Department,  in  collaboration  with  two  other  ministries, 
received  a  SysTrust  review  of  their  common  service  providers'  control 
environments. 

Criteria:  the  standards  we  used  for  our  audit 

To  maintain  a  reliable  IT  general  control  environment  throughout  the  whole 
organization  the  Department  should  obtain  regular  assurance  on  the  controls  in 
the  outsourced  environment. 


Our  audit  findings 

Since  the  Department  last  received  assurance  on  the  outsourced  environment 
in  October  2004  through  a  SysTrust  certification,  it  has  not  obtained 
independent  ongoing  assurance  on  its  outsourced  environment.  Specifically,  it 
has  not  obtained  adequate  assurance  on  control  environments  outsourced  since 
2004,  such  as  the  development  of  new  computer  applications,  and  the 
maintenance  of  additional  computer  infrastructure. 

The  Department  did  not  request  a  SysTrust  review  in  2006  because  it  was  not 
certain  who  the  service  provider  would  be — the  government  was  developing 
its  Information  and  Communications  Technology  initiative.  It  plans  to  obtain 
ongoing  assurance  on  their  outsourced  environment  beginning  in  the  next 
fiscal  year. 

Implications  and  risks  if  recommendation  not  implemented 

The  outsourced  environment  is  an  integral  part  of  the  Department's  IT  control 
environment.  Without  procedures  to  ensure  that  service  providers  maintain 
sound  control  environments,  the  Department  cannot  depend  on  the 
confidentiality,  integrity  or  availability  of  its  important  business,  financial,  or 
other  sensitive  information. 

1.3  Claims  assessment  system 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  improve 
access  and  change-management  controls  in  the  Claims  Assessment 
System. 

Background 

Organizations  use  manuals  and  reference  materials  to  retain  knowledge, 
especially  in  times  of  high  staff  turnover.  This  technical  information  is  then 
available  for  reference  when  deciding,  within  a  computer  system,  whether 
employees  have  been  granted  appropriate  access  for  their  jobs. 

Organizations  use  a  change-management  process  to  formally  control  changes 
to  the  infrastructure  and  applications. 


No  review  of 
controls  since 
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Service  provider 
claims  processed 
electronically 


Reliability  of 
calculations 
depends  on 
accuracy  of  data- 
tables 


Service  providers  receive  payments  through  a  fee-for-service  system.  To 
receive  a  fee-for-service  payment,  providers  submit  a  claim  electronically  to 
Alberta  Health  &  Wellness  (the  Department),  where  the  Claims  Assessment 
System  (CLASS)  assesses  it. 

CLASS  reviews  claims  for  compliance  with  the  Schedule  of  Medical  Benefits 
(Schedule),  under  the  Alberta  Health  Care  Insurance  Act  and  Regulations. 
CLASS  evaluates  the  claim  against  criteria  defined  in  program  code  rules, 
procedure  lists,  fee-schedules,  edit-and-validation  checks,  and  data-tables.  The 
reliability  of  CLASS  calculations  depends  on  the  accuracy  of  these 
data-tables.  Alberta  health  service  providers  submit  about  39  million  service 
claims  per  year. 

Criteria:  the  standards  we  used  for  our  audit 

Management  should  ensure  that: 

•  business  owners  conduct  regular  reviews  of  access  assignments  to 
CLASS, 

•  documented  manuals  and  references  for  CLASS  exist  so  that  job 
functions  are  not  affected  if  key  staff  members  leave, 

•  any  unauthorized  activity  in  CLASS  can  be  identified,  and  proper 
segregation  of  duties  exists  between  incompatible  job  functions, 

•  a  change-management  process  exists  that  allows  for  only  approved 
changes  to  be  made  to  CLASS. 


No  formal 
process  to  review 
access 


Our  audit  findings 

Access — the  Ministry  randomly  reviews  access  to  CLASS — it  has  no  formal, 
documented  review  process.  Users  get  access  to  CLASS  based  on  their  job. 
Access  is  assigned  through  profiles,  with  pre-set  roles  that  control  what  users 
can  do. 


The  system  can  produce  a  report  of  each  user's  access  profile.  But  the  report  is 
not  detailed  enough  to  show  the  specific  data  tables  an  employee  can  access. 
Using  this  report,  a  security  administrator  would  have  difficulty  assessing 
appropriateness  of  access.  A  security  administrator  should  review  overall 
access  directly  through  the  system,  but  without  a  documented  process,  there  is 
no  evidence  this  review  occurs. 


Department  had 
not  tested  who 
had  changed  data- 
tables 


Review  of  table-modification  reports — the  Ministry  has  many  users  with 
access  to  both  the  test  and  the  production  environments.  The  Ministry  can 
create  a  table-modification  report  to  identify  changes  to  data-tables.  Review  of 
this  report  would  reveal  any  unauthorized  changes.  The  Ministry  had  not  run  a 
table-modification  report  until  we  requested  one  in  March  2007.  Therefore, 
the  Ministry  could  not  identify  unauthorized  changes  to  CLASS.  The  Ministry 
subsequently  created  a  process  to  have  this  report  produced  and  reviewed 
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monthly.  However,  the  two  individuals  who  are  responsible  for  reviewing  this 
report  also  have  authority  to  make  direct  changes  to  the  production 
environment. 

Change  management — not  all  application  and  data  changes  move  from  the 
test  environment  into  production.  In  some  cases,  changes  are  verified  and 
quality-reviewed  in  the  test  environment  and  this  process  is  repeated  in  the 
production  environment. 

Reference  documentation — the  Department  does  not  have  adequate 
documentation  for  CLASS.  Although  some  online  manuals  and  references 
exist,  we  were  unable  to  obtain  any  evidence  that  thorough  documentation 
exists  for  all  the  data-tables  that  make  up  CLASS. 

Implications  and  risks  if  recommendation  not  implemented 

Without  proper  access  control  and  change-management  practices,  the 
Department  is  exposed  to  the  following  risks: 

•  Inappropriate  access  to,  and  disclosure  of,  confidential  information,  and 
increase  in  the  risk  of  unauthorized  changes  in  the  system. 

•  Inadvertent  or  unauthorized  changes  being  made  in  the  production 
environment. 

•  Inefficiencies  in  the  change  management  process. 

2.    Performance  reporting 

2.1  Financial  statements 

2.1 .1      Ministry  and  Department  financial  statements 
Last  year,  we  qualified  our  opinion  on  the  financial  statements  of  the  Ministry 
because  it  did  not  include  the  health  authorities  and  health  boards.  This  year, 
we  removed  our  qualification  because  the  Ministry  included  the  health 
authorities  and  health  boards  using  the  modified  equity  basis  of  consolidation. 

The  modified  equity  method  of  consolidation  is  allowed  as  a  transition  to 
line-by-line  consolidation,  which  will  be  required  for  the  year  ending 
March  31,  2009. 

Under  line-by-line  consolidation,  the  Ministry's  capital  assets  would  have 
been  fully  consolidated  so  net  assets  at  March  31,  2007  would  have  increased 
by  approximately  $4.8  billion'. 

Our  auditor's  report  on  the  March  31,  2007  financial  statements  of  the 
Department  of  Health  and  Wellness  is  unqualified. 


Design  fault  in 
the  computer 
system 


System 

documentation 
not  adequate 


Risks  to  the 
Department 


1  Amount  differs  from  the  amount  of  $5.3  billion  disclosed  in  the  province's  consolidated  financial  statements 
because  the  Ministry  made  a  late  adjustment  after  the  province  released  its  financial  statements.  This  adjustment  did 
not  affect  net  results  of  the  Ministry  or  the  province. 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


109 


Volume  2 — Audits  and  recommendations 


Health  and  Wellness 


2.2  Performance  measures 

We  did  not  identify  any  exceptions  when  we  completed  specified  auditing 
procedures  on  the  Ministry's  performance  measures. 

3.   Other  entities  that  report  to  the  Minister 
3.1  Capital  Health 

3.1.1      Capital  Health — business  processes 
Recommendation 

We  recommend  that  Capital  Health  review  its  underlying  business 
processes  to  ensure  that  it  has  reliable,  accurate,  and  timely  financial 
information  for  preparing  financial  statements. 

Criteria:  the  standards  we  used  for  our  audit 

Capital  Health  should  have  systems  and  processes  to  enable  it  to  prepare 
reliable,  accurate  and  timely  financial  statements. 

Our  audit  findings 

Management  reviewed  all  significant  financial  statement  account  balances 
during  the  2006-2007  year  end.  As  a  result  of  management's  efforts  and 
correcting  errors  identified  during  the  audit,  the  financial  statements  are  fairly 
presented  at  March  31,  2007. 

We  have  identified  areas  where  improvement  to  the  underlying  business 
processes  need  to  be  made  to  ensure  management  has  reliable,  accurate  and 
timely  information  to  support  their  preparation  of  financial  statements  and 
supporting  information  provided  to  the  Audit  Committee  during  the  year. 

a)    Purchasing  system 

The  Authority  relies  on  its  purchasing  system  to  identify  any  unpaid  amounts 
at  year  end  and  records  these  amounts  as  accrued  liabilities.  At  year  end, 
accrued  liabilities  included  amounts  for  which  the  Authority  had  documents 
indicating  that  goods  or  services  had  been  received,  but  for  which  they  had  not 
received  an  invoice.  Management  made  adjustments  at  year  end  to  accruals  to 
ensure  that  the  liabilities  were  not  overstated. 

However,  detailed  review  of  the  open  purchase  orders  is  required  to  determine 
the  cause  of  open  purchase  orders  for  which  the  goods  or  services  have  been 
received.  We  noted  that  there  are  some  aged  purchase  orders  that  remain  in 
the  liability  account  after  the  goods  or  service  has  been  received.  It  is 
possible  the  obligation  to  the  vendor  has  been  settled  through  a  different 
process  than  matching. 
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Benefit  plan 
transactions  not 
recorded 


b)    Employee  benefit  plans 

The  working  papers  presented  for  audit  omitted  the  $14.7  million  of  surpluses 
in  its  employee  benefit  plans.  This  omission  was  corrected  in  the  current  year 
and  retroactively  applied  for  comparative  numbers.  We  understand  that 
Human  Resources  did  not  communicate  this  information  to  the  Finance  and 
Reporting  Group.  It  is  important  that  the  Finance  and  Reporting  Group  be 
given  adequate  and  timely  information  to  ensure  transactions  are  properly 
recorded  in  the  Authority's  financial  records. 


1 ,000  special 
purpose  fund 
accounts 


Need  to  review 
processes  for 
accounting 


c)    Special  purpose  fund  accounts 

The  Authority  has  approximately  1 ,000  special  purpose  fund  accounts  for 
clinical  trials,  education  funds  and  other  purposes.  Special  Purpose  Fund 
balances  are  included  in  the  amount  reported  as  deferred  contributions  in  the 
financial  statements.  The  Authority  can  only  report  amounts  as  deferred 
contributions  if  contributors  external  to  the  Authority  stipulated  that  the  funds 
must  be  spent  for  a  specific  purpose. 

Management  needs  to  more  clearly  define  business  processes  to  establish, 
classify,  provide  interest,  and  release  restricted  non-research  special  purpose 
funds  to  ensure  amounts  are  appropriately  deferred  and  assessed  on  a  timely 
basis.  Management  needs  to  establish  category  types  for  non-research  special 
purpose  accounts  to  allow  for  appropriate  classification.  Accounts  where 
interest  is  to  be  credited  need  to  be  specified  so  that  there  is  clarity  on  amounts 
payable.  The  policy  needs  to  be  updated  regarding  approval  for  expenditures 
against  certain  of  the  funds. 


Implications  and  risks  if  recommendation  not  implemented 

Management  may  not  have  reliable,  accurate  and  timely  information  to 
prepare  financial  statements  and  supporting  information  for  the  audit 
committee  during  the  year. 


3.1 .2     Capital  Health  conflict  of  interest— implemented 
Background 

In  our  2000-2001  Annual  Report,  we  recommended  that  Capital  Health 
enhance  its  conflict-of-interest  processes.  Last  year  we  reported  that  to  finish 
implementing  our  recommendation,  the  Authority  needed  to  revise  the 
corporate  directive  on  conflict  of  interest  to  correct  these  remaining 
deficiencies: 

•  The  directive  did  not  apply  to  all  employees — only  to  executives,  and  it 
did  not  distinguish  executives  from  employees. 

•  The  directive  did  not  specify  what  an  independent  third-party  review 
entailed,  such  as: 

•  the  steps  to  be  taken  if  a  conflict  is  identified. 

•  whether  the  Authority  can  still  contract  when  a  conflict  exists. 

•  the  role  of  the  Authority's  oversight  body  responsible  for  governance. 
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Corporate 
directive  changed 


Our  audit  findings 

Management  finished  implementing  our  recommendation.  The  Authority 
revised  its  corporate  directive  to  correct  these  deficiencies. 

3.2  Calgary  Health  Region 

3.2.1      Calgary  Health  Region — change-management  process 
Recommendation  No.  28 

We  recommend  that  the  Calgary  Health  Region: 

•  apply  its  uniform,  formalized  change-management  procedures  to  all 
significant  applications;  and 

•  document  all  program  changes  and  related  controls. 


Problems 
identified 
previously 


Background 

Information  technology  (IT)  infrastructure,  configuration  and  applications 
supporting  the  financial  reporting  process  change  regularly.  Last  year  we 
found  that  changes  to  its  cheque  writing  computer  program  did  not  follow  the 
Authority's  formalized  set  of  procedures.  The  Authority  did  not  have  evidence 
that  the  program  changes  the  vendor  made  were  appropriate.  When  the 
Authority  implemented  a  new  IT  Infrastructure  management  tool,  previously 
automated  evidence  of  change  approval  and  retention  functionality  was  not 
carried  forward  in  the  conversion  process. 


Criteria:  the  standards  we  used  for  our  audit 

Management  should  ensure  that  changes  to  applications  are  controlled  and 
documented. 


Procedures  not 
always  followed 


Risk  of 

unauthorized 

changes 


Our  audit  findings 

The  Authority  has  implemented  formalized  change-management  policies  and 
procedures,  but: 

•  doesn't  always  follow  its  procedures  when  making  changes  to  applications 
and  infrastructure; 

•  evidence  to  show  program  change  controls  operating  was  unavailable; 

•  didn't  document  program  changes;  and 

•  gave  access  to  the  live  production  environment  to  the  contracted 
developers  for  a  computer  system. 

Implications  and  risks  if  recommendation  not  implemented 

Non-compliance  with  change  controls  and  lack  of  documentation  for 
change-management  exposes  the  Authority  to  unauthorized  or  inappropriate 
changes  being  made.  It  also  reduces  the  ability  of  management  or  external 
parties,  such  as  auditors,  to  evaluate  the  process  retrospectively.  Live 
production  access  by  contracted  developers  exposes  the  Region  to 
unauthorized  changes  and  transactions. 
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3.2.2     Calgary  Health  Region — inappropriate  user  access 
Recommendation  No.  29 

We  recommend  that  the  Calgary  Health  Region  regularly  review  all  user 
accounts  and  roles  assigned  within  systems  and  applications  for 
inappropriate  access  privileges. 

Background 

An  essential  feature  of  a  control  environment  within  an  organization  is  that  no 
employees  or  group  of  employees  has  inappropriate  control  over  any 
transaction  or  group  of  transactions.  Duties  that  should  be  segregated  are: 

•  custody  of  assets 

•  authorization  or  approval  of  related  transactions  affecting  those  assets 

•  recording  or  reporting  of  related  transactions 

Criteria:  the  standards  we  used  for  our  audit 

The  Region  should  have  processes  to: 

•  segregate  incompatible  functions  review  access  to  computer  applications, 
and 

•  remove  access  for  terminated  employees. 
Our  audit  findings 

We  found  general  computer  controls  to  be  ineffective  and  asked  the  Region's 
Internal  Audit  to  extend  testing  of  controls  during  the  year.  They  identified: 

•  2  users  had  inappropriate  access  to  the  secured  network  drive  for  the 
cheque  writing  computer  program. 

•  1 1  inactive  users  had  access  privileges  still  assigned  for  purchase  order 
(PO)  creation, 

•  1 7  users  had  privileges  for  PO  creation  that  may  not  be  necessary, 

•  1 1  users  had  access  to  receive  and  with  access  for  PO  creation,  and. 

•  1 3  users  had  performed  conflicting  duties  relating  to  vendor  maintenance, 
PO  creation,  receiving,  and  the  cheque  writing  program. 

Implications  and  risks  if  recommendation  not  implemented 

Inappropriate  access  to  sensitive  systems  or  privileges  exposes  the  Region  to 
the  risk  of  unauthorized  transactions,  error,  and  fraud. 


Internal  Audit 

identified 

problems 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


113 


Volume  2— Audits  and  recommendations  Health  and  Wellness 


3.2.3     Calgary  Health  Region — contracting  for  consulting  services 
Recommendation  No.  30 

We  recommend  that  the  Calgary  Health  Region  follow  its 
contract-management  policy  and  processes  in  awarding  contracts  for 
consulting  services. 

Background 

To  ensure  that  contracts  are  cost-effective  in  delivering  services,  contracting 
policies  and  practices  must  be  appropriate  and  enforced.  To  respond  to 
allegations  in  the  Legislative  Assembly  about  the  awarding  of  consulting 
contracts,  we  reviewed  the  Region's  awarding  of  contracts  to  two  consultants. 

Criteria:  the  standards  we  used  for  our  audit 

The  Region's  policy  for  Fair  Competitive  Processes  and  Ethical  Business 
Practices  (revised  in  2002)  outlines  when  a  contract  may  be  sole  sourced 
without  a  competitive  bid  process.  For  non-patient  services,  the  Region  may 
sole  source  contracts  as  follows: 

•  Contracts  less  than  $25,000 — no  requirement  to  document  the  decision. 

•  Contracts  between  $25,000  and  $100,000 — clear  documentation  of  the 
reasons  for  sole  sourcing  and  approval  by  the  appropriate  vice-president 
both  required.  Appropriate  reasons  include: 

•  Urgent  and  unforeseeable  situations. 

•  Cases  of  confidentiality  and  privileged  information. 

•  Expansion  of  or  addition  to  an  existing  system  or  equipment. 

•  Lack  of  other  qualified  providers. 

•  Competitive  process  not  cost  effective  given  the  anticipated  contract 
value. 

•  Contracts  greater  than  $100,000 — sole-sourcing  is  not  an  option;  a  formal 
competitive  process  is  required. 

Our  audit  findings 

We  reviewed  two  consulting  contracts.  One  contract  for  the  period 
November  1,  2005  to  October  31,  2006  with  I3  Strategies  Inc.  was  valued  at 
$42,000  ($3,500  per  month)  and  not  to  exceed  $50,000,  and  did  not  have 
documented  justification  for  the  decision  to  sole  source  the  contract  to  the 
consultant.  The  second  contract  with  Charlebois  Consulting  Ltd.,  valued  at 
$12,600,  did  not  have  any  supporting  documentation  justifying  the  decision  to 
sole  source,  which  was  in  accordance  with  the  policy. 

In  addition  to  these  findings,  we  also  found: 

•  The  contract  with  I3  Strategies  Inc.  was  approved  after  the 
commencement  of  services. 

•  Evaluation  of  prior  services  rendered  by  the  consultants  were  not 
completed. 


No  support  for 
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Implications  and  risks  if  recommendation  not  implemented 

If  the  Authority  doesn't  enforce  compliance  with  its  policies,  it  may  enter  into 
inappropriate  contracts. 

3.2.4     Calgary  Health  Region — Purchase  of  Calgary  Lab  Services  (CLS) 
On  April  1,  2006,  the  Region  purchased  the  remaining  50.01%  interest  in 
CLS.  The  purchase  price  was  $43.6  million,  of  which  $1.6  million  was  paid  by 
settling  a  sub-lease  with  CLS  and  $42  million  was  financed  using  long-term 
debt.  The  purchase  price  exceeded  the  value  of  the  net  identifiable  assets 
acquired  by  $25.8  million,  which  was  recorded  as  goodwill. 

The  consolidated  financial  statements  of  the  Region  as  at  March  31,  2007 
include  100%  of  the  operating  results  and  balances  of  CLS  for  a  full  year.  We 
examined  management's  accounting  for  the  CLS  purchase  and  operations  and 
conclude  that  the  amounts  are  appropriately  reported  in  the  Region's  financial 
statements. 

3.3  Alberta  Cancer  Board — controls  over  access  to  computer  applications 
Recommendation 

We  recommend  that  the  Alberta  Cancer  Board  promptly  end  network 
and  application  access  for  terminated  employees. 

Background 

When  an  employee  is  terminated,  Human  Resources  or  a  department  head  tells 
the  IT  Department,  who  ends  computer  access  for  terminated  employees. 

Criteria:  the  standards  we  used  for  our  audit 

The  Board  should  have  adequate  controls  to  end  system  access  for  terminated 
employees. 

Our  audit  findings 

Four  of  15  terminated  employees  sampled  still  had  access  to  the  network  and 
specific  applications.  They  still  had  active  network  accounts.  The  Senior 
Application  Administrator  and  Security  Officer  confirmed  this. 

Implications  and  risks  if  recommendation  not  implemented 

The  Board  has  increased  risk  of  unauthorized  and  undetected  access  to  its 
systems  and  of  data  manipulation.  Board  systems  include  confidential 
information  on  patients  and  the  Board  may  breach  that  confidentiality. 
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3.4  Alberta  Alcohol  and  Drug  Abuse  Commission — general  computer 
controls 

Recommendation 

We  recommend  that  the  Alberta  Alcohol  and  Drug  Abuse  Commission 
document  and  follow  a  comprehensive  information  technology  control 
framework. 

Background 

The  Alberta  Alcohol  and  Drug  Abuse  Commission  (the  Commission)  depends 
on  computerized  financial  and  client  information  systems  to  conduct  business 
activities  and  generate  reliable  financial  reporting. 

Important  information  technology  (IT)  systems  that  the  Commission  maintains 
include  its  general  network  environment,  payroll  and  fee  revenue  receipts 
software,  and  its  client  treatment  and  tracking  software,  ASSIST.  The 
Commission  also  relies  on  the  government's  financial  accounting  system. 

Criteria:  the  standards  we  used  for  our  audit 

The  Commission  should  have: 

•  a  comprehensive  IT  control  framework  to  document  and  implement 
appropriate  polices  and  procedures. 

•  IT  controls  to  safeguard  its  data  and  systems  against  unauthorized  use, 
disclosure,  modification,  damage  and  loss. 

Our  audit  findings 

The  Commission  does  not  have  a  comprehensive  IT  control  framework. 

Although  it  has  some  documented  policies  and  procedures  currently  in  place, 
there  is  insufficient  evidence  that  the  majority  of  these  policies  operated 
effectively  throughout  the  year. 

The  Commission  has  various  informal  controls  or  processes  that  are  known 
and  followed  by  staff.  However,  these  control  processes  are  not  adequately 
documented  and  there  is  insufficient  evidence  the  majority  of  these  policies 
were  operating  effectively  throughout  the  year. 

Implications  and  risks  if  recommendation  not  implemented 

The  Commission  may  not  be  able  to  rely  on  its  data,  applications,  or  systems 
to  provide  complete,  accurate  and  valid  information. 


Commission 
depends  on 
computers 


Several  systems 
maintained 


Lack  of  evidence 
that  policies 
operate 
effectively 
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Health  and  Wellness 


Performance  reporting — financial  statements 

Internal  control  problems  at  Authorities  that  we  don't  audit 

Background 

We  do  not  audit  Palliscr  Health,  Aspen  Regional  Health  Authority  or  David 
Thompson  Health  Region.  But  we  reviewed  the  management  letters  sent  to 
them  by  their  auditors.  Audits  are  not  designed  to  assess  all  key  systems  of 
control  and  accountability.  However,  auditors  communicate  any  weaknesses 
to  management  that  came  to  their  attention  when  auditing  the  financial 
statements. 


Our  audit  findings 

The  following  weaknesses  were  noted  by  Authorities*  auditors: 


Aspen  Regional 
Health  Authority 

David  Thompson 
Health  Region 

Processes  to  have  service 
provider  controls  reviewed 

V 

Controls  to  calculate 
employees'  pensionable 
earnings  in  accordance  with  the 
Local  Authorities  Pension 
legislation 

Controls  to  pay  Board  members 
in  accordance  with  the  Alberta 
Government's  directive 

V 

Disaster  recovery  plans 

V 

Control  over  access  to  computer 
systems  such  as  payroll 

V 

V 

Timely  preparation  and  review 
of  bank  reconciliations 

No  recommendations  were  made  to  Palliser  Health  by  their  auditors. 


4.2  Auditors'  opinions  on  Health  Authorities  and  Boards 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the  six 
Health  Authorities,  two  Provincial  Boards,  and  the  Health  Quality  Council 
that  we  audit.  Scope,  on  page  104  of  our  report,  lists  these  entities. 

The  financial  statements  of  three  health  authorities  that  we  don't  audit 
received  unqualified  auditor's  opinions  from  their  appointed  auditors. 


4. 
4.1 

Health  authorities 
we  don't  audit 
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Infrastructure  and  Transportation 


Four  core 
businesses 


Ministry  spent 
$2.7  billion 


Infrastructure  and  Transportation 

Summary:  what  we  found  in  our  audits 


Systems 

The  Ministry  of  Infrastructure  and  Transportation  should  monitor  highway  transfer 
agreements  to  ensure  that  transactions  are  appropriately  recorded  in  its  financial 
statements — seepage  120. 

Performance  reporting 

Our  auditor's  report  on  the  Ministry's  financial  statements  for  the  year  ended 
March  31,  2007  is  unqualified.  We  found  no  exceptions  when  we  completed 
specified  auditing  procedures  on  the  Ministry's  performance  measures. 

Other  audit 

We  issued  an  unqualified  opinion  on  the  annual  summary  of  eligible  expenditures 
of  the  Canada — Alberta  Strategic  Highway  Infrastructure  Program. 


The  Ministry  has  four  core  businesses: 

•  Manage  provincial  transportation  safety  programs 

•  Plan,  develop  and  manage  government-owned  and  leased  infrastructure 

•  Partner  with  municipalities,  boards  and  other  government  departments  and 
agencies  to  plan,  develop  and  implement  infrastructure  that  meets  local  and 
government  needs 

•  Represent  Alberta's  interests  in  Canadian  transportation  policy 

In  2006-2007,  the  Ministry  spent  approximately  $2.7  billion  on  the  following: 


Overview  of  the  Ministry 


Municipal  support  program 
Provincial  highway  systems  and  safety 
Infrastructure  operation,  preservation  and  expansion 
Energy  rebates 
Emergent  projects 


(millions  of  dollars) 

$  1,134 


713 
439 
378 
9 
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Ministry  The  Ministry's  revenue  from  sources  external  to  the  government  in  2006-2007 

received  crin  ™n;~~ 

.„.  was  $333  million. 

$333  million 

For  more  detail  on  the  Ministry,  visit  its  website  at  www.inftra.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  followed  up  on  our  previous  year's  recommendation  on  the  physical 
security  of  government  buildings. 

2.  Performance  reporting 

We  audited  the  Ministry's  financial  statements  for  the  year  ended 
March  31,  2007.  We  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

3.  Other  audit 

We  audited  the  annual  summary  of  eligible  expenditures  of  the 
Canada-Alberta  Strategic  Highway  Infrastructure  Program  for  the  year  ended 
March  31,  2007. 


Our  audit  findings  and  recommendations 

1 .  Systems 
1.1  Highway  transfers 
Recommendation 

We  recommend  that  the  Ministry  of  Infrastructure  and  Transportation 
monitor  highway  transfer  agreements  to  ensure  that  transactions  are 
appropriately  recorded  in  its  financial  statements. 

Background 

The  City  of  Edmonton  and  the  province  entered  into  a  Highway  Transfer 
Agreement  on  March  15,  2005  that  transferred  title,  direction,  control  and 
management  of  the  roadways  and  interchanges  listed  in  the  Agreement  from 
the  city  to  the  province. 

The  transfer,  authorized  by  Ministerial  Order  #  40/06,  was  effective  on 
October  11,  2006.  The  following  roadways  and  interchanges  on  the  Southwest 
portion  of  the  Edmonton  Ring  Road  were  transferred  to  the  province: 
•     Highway  1 6  ( Yellowhead  Trail)  from  the  west  city  limit  to  Anthony 
Henday  Drive 
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•  Anthony  Henday  Drive  from  Highway  16  to  Highway  2  South 

•  Highway  2  South  from  Anthony  Henday  Drive  to  the  south  city  limit 

Tangible  capital  assets  and  net  assets  were  increased  by  $96  million  on  both 
the  province's  consolidated  financial  statements  and  the  Ministry's  financial 
statements. 


City  of 
Edmonton 
transferred 
$96  million  of 
assets  to  the 
province 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  monitor  highway  transfer  agreements  to  ensure  that  the 
transactions  are  appropriately  recorded  in  the  financial  statements. 

Our  audit  findings 

Just  days  before  the  deadline  for  completing  the  province's  consolidated 
financial  statements,  the  Ministry's  Finance  Branch  became  aware  of  a  March 
2005  agreement  that  resulted  in  the  transfer  of  assets  from  the  City  of 
Edmonton  to  the  province.  The  Finance  Branch  estimated  the  net  book  value 
of  the  assets  transferred  at  $96  million. 


To  support  its  estimate,  management  developed  a  list  of  capital  grants  paid  to 
the  City  from  1989  to  2006.  The  list  also  included  amounts  that  the  City 
contributed  to  construct  the  roadways  and  interchanges  during  these  years. 


However,  due  to  the  delay  in  identifying  this  transaction,  the  Ministry  had 
difficulty  providing  supporting  documentation  for  the  transaction  by  the 
deadline  for  completing  the  province's  consolidated  financial  statements. 


Implications  and  risks  if  recommendation  not  implemented 

Ministry  should  The  Ministry's  financial  statements  could  be  misstated  if  the  Ministry  does  not 

transfer  h'ghway         monitor  highway  transfer  agreements  and  record  the  underlying  financial 
agreements  transactions  promptly. 


Security  of 
government 
buildings 
improved 


1.2  Physical  security  of  government  buildings — implemented 
Background 

In  our  2002-2003  Annual  Report  (No.  28 — page  187),  we  recommended  that 
the  Ministry  improve  the  security  of  government  buildings  and  the  safety  of 
the  people  who  use  them.  Management  accepted  the  recommendation  and 
agreed  to  implement  a  better  system.  We  reported  satisfactory  progress  in  our 
2004-2005  and  2005-2006  Annual  Reports. 
Our  audit  findings 

The  Ministry  fully  implemented  the  recommendation  by: 

•  recognizing  the  ongoing  and  dynamic  nature  of  security  requirements  by 
employing  appropriate  full-time  staff 

•  continuing  to  deliver  physical  and  building  security  awareness 
presentations  to  management  and  staff 
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•  completing  security  reviews  and  cost  estimates  for  the  security  needs  of 
single-client-use  buildings 

•  developing  technical  standards  and  criteria  to  ensure  consistent 
application  of  security  principles  across  all  government  buildings 

2.  Performance  reporting 

2.1  Financial  statements 

Our  auditor's  report  contains  an  unqualified  opinion  on  the  Ministry's 
financial  statements  for  the  year  ended  March  31,  2007. 

2.2  Performance  measures 

We  found  no  exceptions  when  we  completed  the  specified  auditing  procedures 
on  the  Ministry's  performance  measures. 

3.  Other  audit 

We  issued  an  unqualified  opinion  on  the  annual  summary  of  eligible 
expenditures  for  the  Canada — Alberta  Strategic  Highway  Infrastructure 
Program. 
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International,  Intergovernmental 
and  Aboriginal  Relations 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  should  improve  their  systems  for  monitoring  grants — see 
page  124. 

Performance  reporting 

Our  auditor's  report  on  the  Ministry  financial  statements  was  unqualified.  We 
found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 


Overview  of  the  Ministry 

The  Ministry  has  the  following  five  core  businesses: 

•  Canadian  Intergovernmental  Relations 

•  International  Relations 

•  Trade  Policy 

•  Trade  Promotion 

•  Aboriginal  Governance,  Economic  Development  and  Consultation 

Ministry  spent  \n  2006-2007,  the  Ministry  spent  $54  million  on  the  following  programs: 

S54  million 

(millions  of  dollars) 

Aboriginal  Governance,  Consultation  and 


Economic  Development  $  29 

International  Offices  and  Trade  1 3 

Ministry  Support  Services  5 

International  Relations  4 
Canadian  International  Relations 

Trade  Policy  1 


The  Ministry  has 
five  core  businesses 


No  external  revenue    The  Ministry  receives  no  revenue  from  sources  external  to  government. 

Website  For  more  information  about  the  Ministry,  visit  its  website  at 

www.international.gov.ab.ca. 
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International,  Intergovernmental  and  Aboriginal  Relations 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

Financial  statements  \ye  audited  the  financial  statements  of  the  Ministry  for  the  year  ended 

March  31,  2007. 

2.  Performance  reporting 

Performance  \ye  completed  specified  auditing  procedures  on  the  Ministry's  performance 

measures 

measures. 


Our  audit  findings  and  recommendations 

1 .  Systems 
1.1  Grant  monitoring 
Recommendation 

We  recommend  that  the  Ministry  implement  an  effective  risk  based 
system  to  ensure  grant  recipients  comply  with  the  terms  and 
conditions  of  grants. 


Ministry  issues 
$19M  in  grants  for 
Aboriginal  Program 


Applications  for 
grant  must  be 
submitted  and 
approved 


Background 

The  Ministry  issued  $19  million  in  grants  for  Aboriginal  programs.  The 
following  are  examples  of  grant  programs: 

•  Traditional  Use  Studies — this  program  provides  funding  to  First 
Nations  to  prepare  a  study  identifying  where  aboriginal  people  hunt, 
fish  and  trap  on  public  land. 

•  First  Nations  Economic  Partnership  Initiative  (FNEPI) — this  program 
is  designed  to  increase  First  Nations  participation  in  the  economy. 

•  The  Partnership  Program — this  program  supports  the  establishment  of 
a  province-wide  network  of  regional  partnership  coordinators. 
Regional  partnership  coordinators  are  employees  of  a  First  Nation 
organization  and  work  within  a  specified  region  and  with  other 
stakeholders  to  pursue  economic  opportunities  and  develop  regional 
economic  partnerships. 

Applications  for  all  grants  are  submitted  to  the  Ministry.  The  Ministry 
reviews  the  applications  and  if  the  applicant  is  approved,  the  Ministry 
enters  into  a  grant  agreement. 
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Grant  recipients 
submit 

accountability 
reports 


The  grant  agreement  specifies  that  the  grant  recipients  must  submit  reports 
to  the  Ministry  on  how  the  funds  w  ere  spent.  For  example,  the  Partnership 
Program  Agreement  requires  the  recipient  to  provide  performance  results 
reports  and  audited  financial  statements. 


Criteria:  the  standards  we  used  for  our  audit 

Adequate  controls  should  exist  to  ensure  that  grants  are  issued  to  qualified 
recipients  and  that  the  terms  and  conditions  of  the  grant  arc  met. 


Recipients  do  not 
always  comply  with 
reporting 
requirements 


Our  audit  findings 

Grant  recipients  do  not  always  comply  with  reporting  requirements.  In  3  of 
the  17  grants  sampled,  we  found  that  accountability  reports  were  not 
received  a  year  after  the  reporting  deadline.  New  grants  funds  were 
advanced  to  these  same  recipients  even  though  they  had  not  complied  with 
the  terms  of  the  prior  agreements. 


Clarification  of 
reporting  timelines 
needed 


The  reporting  timelines  could  be  clarified  before  finalizing  agreements. 
The  reporting  deadlines  for  financial  statements  specified  in  the  grant 
agreements  do  not  always  match  with  the  grant  recipient's  year  end. 


Implications  and  risks  if  recommendation  not  implemented 

Public  money  may  be  spent  on  purposes  other  then  those  intended. 
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Justice  and  Attorney  General 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  should  improve  their  general  computer  controls  by: 

•  developing  and  documenting  Information  Technology  security  policies — see 
page  128. 

•  documenting  and  testing  disaster  recovery  plans  for  all  Information 
Technology  systems — see  page  129. 

•  improving  access  controls  over  their  information  systems — see  page  130. 

•  developing  and  documenting  Information  Technology  security  policies  that 
consider  judicial  needs  for  the  Civil  and  Sheriff  Entry  system — see  page  131. 

Performance  reporting 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the  Ministry 
and  the  Office  of  the  Public  Trustee,  Estates  and  Trusts.  We  found  no  exceptions 
when  we  completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 


Overview  of  the  Ministry 

The  Ministry's  2006-2009  business  plan  describes  four  core  businesses: 

•  Prosecutions 

•  Courts 

•  Legal  and  strategic  services  to  government 

•  Justice  services  to  Albertans 

Ministry  received  Total  revenue  for  the  Ministry  was  $143  million  in  2006-2007.  The  Ministry's 
$143  million 

main  revenue  sources  are: 

(millions  of  dollars) 


Fines  and  related  late  payment  penalties  $  65 

Fees  37 

Transfers  from  the  federal  government  1 3 

Maintenance  enforcement  program  1 1 

Motor  vehicle  accident  recovery  8 


Four  core 
businesses 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


127 


Volume  2 — Audits  and  recommendations 


Justice  and  Attorney  General 


Ministry  spent 
$331  million 


Ministry  manages 
trust  funds 


The  total  operating  expenses  for  the  Ministry  were  $331  million  in 
2006-2007,  comprised  mainly  of: 


The  Ministry's  Court  Services  division 

Legal  services 

Support  for  legal  aid 

Motor  vehicle  accident  claims 

Office  of  the  Public  Trustee 

Medical  examiner 


(millions  of  dollars) 

$  142 
91 
43 
26 
11 
6 


The  Ministry  manages  trust  funds  of  approximately  $548  million.  This  amount 
includes  $473  million  administered  by  the  Office  of  the  Public  Trustee. 

For  more  detail  on  the  Ministry,  visit  its  website  at  www.gov.ab.ca/just/. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  Information  Technology  (IT)  controls  of  four  systems:  the 
Civil  and  Sheriff  Entry  system  (CASES),  Maintenance  Information 
Management  system  (MIMS),  Justice  Online  Information  Network  (JOIN) 
and  Public  Trustee  Information  system  (PTIS). 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  the  Office  of  the 
Public  Trustee,  Estates  and  Trusts  for  the  year  ended  March  3 1 ,  2007.  We 
completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Information  Technology  Security 
Recommendation  No.  31 

We  recommend  that  the  Ministry  of  Justice  develop  and  document 
Information  Technology  security  policies. 

Background 

The  Ministry  of  Justice  provides  services  through  its  divisions,  which  include 
the  Department  of  Justice,  the  Ministry's  Court  Services  division  and  the 
Office  of  the  Public  Trustee. 


We  examined 
Information 
Technology 
controls 


Ministry  has 

decentralized 

divisions 
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No  overall 
Information 
Technology 
security  policies 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should: 

•  develop,  document  and  publish  security  policies  that  guide  all  divisions 
in  delivering  Information  Technology  (IT)  sen  ices; 

•  enforce  compliance  with  these  policies; 

•  provide  regular  security  awareness  training  for  staff  members. 

Our  audit  findings 

The  Ministry  has  no  overall  IT  security  policies.  It  has  developed  and 
documented  system-specific  security  policies  for  its  major  IT  systems,  such 
as  Justice  Online  Information  Network  (JOIN)  and  Maintenance  Information 
Management  system  (MIMS).  But  it  has  not  done  so  for  the  Civil  and  Sheriff 
Entry  system  (CASES),  administered  by  the  Ministry's  Court  Services 
division,  or  the  Public  Trustee  Information  system  (PTIS),  administered  by 
the  Office  of  the  Public  Trustee.  The  Ministry  does  not  provide  regular 
security  awareness  training  for  staff,  nor  has  it  defined  roles  or 
responsibilities  to  monitor  compliance  against  the  security  policies. 


The  Ministry  has  established  an  Information  and  Technology  Management 
Governance  Committee,  which  is  working  to  develop  a  strategic  plan. 


Reliability  of 
information 
systems  may  be  at 
risk 


Implications  and  risks  if  recommendation  not  implemented 

Without  comprehensive  IT  security  policies  at  the  Ministry-level,  security 
policies  among  the  divisions  may  be  inconsistent  and  compliance  may  not  be 
enforced.  A  weakness  in  one  IT  system  may  disrupt  normal  operations  for 
other  systems  and  decrease  the  overall  reliability  of  the  Ministry's 
information  systems. 


1.2  Disaster  Recovery  Plans 
Recommendation 

We  recommend  that  the  Ministry  of  Justice  document  and  test  disaster 
recovery  plans  for  all  Information  Technology  systems. 


Overall  Business 
Continuity  Plan 
has  identified 
critical  systems 


Background 

The  Ministry  of  Justice  has  developed  an  overall  Business  Continuity  Plan 
(BCP)  for  all  divisions  in  the  Ministry.  The  divisions  update  the  BCP 
annually.  The  BCP  has  classified  several  Information  Technology  (IT) 
systems  as  critical  and  one  of  the  critical  IT  systems  has  a  documented 
disaster  recovery  plan.  The  Ministry's  critical  IT  systems  are  hosted  at 
Service  Alberta's  Edmonton  central  computing  centre  and  at  the  Ministry's 
in-house  data  centre. 
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Criteria:  the  standards  we  used  for  our  audit 

The  following  key  procedures  should  be  used  to  develop  disaster  recovery 
plans  (DRP)  for  all  critical  IT  systems: 

•  Determine  IT  system  recovery  requirements  based  on  the  importance  of 
the  business  processes  as  identified  in  the  BCP; 

•  Establish  and  implement  backup  and  recovery  methodologies  and 
techniques  based  on  IT  system  recovery  requirements; 

•  Co-coordinate  and  establish  appropriate  IT  system  recovery  capabilities 
with  service  providers  based  on  recovery  requirements; 

•  Develop  a  testing  schedule  to  periodically  validate  IT  system  recovery 
capabilities  and  timeframes. 

Our  audit  findings 

The  Ministry  does  not  have: 

•  Functional  documented  disaster  recovery  plans  to  guide  the  recovery  of 
the  systems  identified  as  critical,  within  the  required  timelines; 

•  Validated  backup  and  recovery  procedures  to  ensure  that  the  data  can  be 
recovered  from  the  backup  media; 

•  Established  recovery  capabilities  agreed  on  in  the  service  level 
agreement  with  its  service  provider,  Service  Alberta; 

•  Validation  of  the  recovery  procedures  based  on  periodic  tests.  These  tests 
would  ensure  that  the  Ministry  can  recover  its  critical  applications  and 
associated  infrastructure  in  the  required  timelines. 

Implications  and  risks  if  recommendation  not  implemented 

The  lack  of  functional  documented  disaster  recovery  plans  may  delay  or 
seriously  impair  the  restoration  of  critical  applications  and  business  processes 
in  the  event  of  a  service  disruption. 

1.3  Information  Technology  Access  Controls 
Recommendation 

We  recommend  that  the  Ministry  of  Justice  improve  access  controls  over 
its  information  systems  by: 

•  reviewing  user  access  rights  regularly,  and 

•  adopting  strong  password  controls. 


Disaster  recovery 
plans  required  for 
critical  systems 


Restoration  of 
critical 

applications  may 
be  impaired 


130 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 — Audits  and  recommendations 


Justice  and  Attorney  General 


Best  password 
practices  should 
be  followed  for 
critical  systems 


Background 

The  Ministry's  computer  systems  require  a  valid  useraame  and  password. 
Best  practices,  such  as  the  Government  of  Alberta  Identity  and  Authentication 
Standard  and  National  Institute  of  Standards  and  Technology  Special 
Publication  800-63,  provide  guidelines  for  strong  passwords  for  critical  and 
confidential  systems  such  as  the  Civil  and  Sheriff  Entry  system  (CASES). 
Maintenance  Enforcement  Management  system  (MIMS),  Justice  Online 
Information  Network  (JOIN)  and  Public  Trustee  Information  system  (PTIS). 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should: 

•  document  and  publish  a  password  policy  that  meets  industry  best 
practices. 

•  configure  IT  systems  to  comply  with  this  policy. 

•  require  IT  system  owners  to  periodically  review  and  confirm  that  user 
access  rights  serve  a  business  need  and  that  the  access  level  is 
appropriate. 


No  review  of  user 
access  to  critical 
systems 


Ministry 
password  policy 
does  not  meet 
best  practice 


Our  audit  findings 

There  was  no  documented  process  to  regularly  review  user  access  for  the  IT 
systems  we  audited:  MIMS,  JOIN,  CASES  and  PTIS.  The  Ministry  has  an 
informal  process  to  verify,  by  email,  the  appropriateness  of  access  granted  to 
the  MIMS  application.  However,  the  process  is  not  documented,  nor  does  it 
verify  if  a  user's  access  level  is  appropriate  for  the  job. 

The  current  password  policy  does  not  meet  industry  best  practice  -  users  can 
reuse  their  old  passwords  during  the  same  day,  and  the  minimum  password 
length  is  7  characters.  Industry  best  practice  recommends  a  minimum 
password  age  policy  so  that  passwords  cannot  be  used  again  within  a 
specified  period,  and  a  minimum  password  length  of  8  characters. 


Implications  and  risk  if  recommendation  not  implemented 

Inadequate  access  and  password  controls  increase  the  risk  of  inappropriate 
access  to  the  Ministry's  IT  systems.  This  could  result  in  unauthorized  changes 
to  critical  information. 


1.4  Judicial  Information  Technology  Security 
Recommendation 

We  recommend  that  the  Ministry  of  Justice  improve  controls  over  the 
Civil  and  Sheriff  Entry  system  by  developing,  documenting  and 
implementing  Information  Technology  security  policies  consistent  with 
the  guidance  in  the  "Blueprint  for  the  Security  of  Judicial  Information1 
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Background 

The  Ministry's  Court  Services  division  uses  the  "Blueprint  for  the  Security  of 
Judicial  Information"  (Blueprint)  prepared  by  the  Computer  Security 
Subcommittee  of  the  Judges  Technology  Advisory  Committee,  as  a  guide  to 
manage  information  security.  The  Blueprint  provides  a  model  for  developing 
effective  Information  Technology  (IT)  security  policies  that  consider  judicial 
needs. 


Criteria  we  used 


Criteria:  the  standard  we  used  for  our  audit 

The  Ministry's  Court  Services  division  should: 

document  and  enforce  division-level  security  policies  that  guide  all 
divisions  in  delivering  IT  services; 

document  and  implement  division-level  IT  system  access  controls  to 
ensure  that  only  authorized  users  can  access  any  court  system,  based  on 
their  job  functions; 

complete  a  threat  risk  assessment  of  their  critical  IT  assets  to  ensure  that 
adequate  controls  mitigate  any  risks; 

establish  computer-use  monitoring  on  all  servers  and  network  devices  to 
screen  for  unauthorized  access  attempts  and  unusual  use  patterns; 
follow  a  documented  change-management  process  that  includes 
segregation  of  duties; 

provide  regular  security  awareness  training  for  staff  members. 


Our  audit  findings 

The  Ministry's  Court  Services  division  has  the  following  IT  security  control 
weaknesses  with  respect  to  the  Civil  and  Sheriff  Entry  system. 


Information 
Technology 
security  policies 
are  not 
documented 


IT  security  policies 

Although  the  Ministry's  Court  Services  division  uses  the  Blueprint  as  a  guide 
to  implement  IT  security  policies,  it  has  not  documented  or  enforced  the 
policies.  Policy  3  of  the  Blueprint  states  that  "Courts  must  provide  all  users 
with  ongoing  awareness  training  and  materials  on  IT  Security."  But  the 
Ministry's  Court  Services  division  does  not  conduct  security  awareness 
training,  and  it  has  not  assigned  anyone  to  provide  this  training  regularly. 


Access  control 
processes  are  not 
documented 


Access  controls 

The  Ministry's  Court  Services  division  has  not  documented  access  control 
processes  for  the  Civil  and  Sheriff  Entry  system  (CASES)  IT  system.  Staff 
follow  an  informal  process  to  request  and  grant  IT  system  access:  system 
supervisors  in  each  court  have  authorization  to  grant  access  to  users  at  that 
location.  But  there  is  no  process  to  confirm  the  requested  access  by 
designated  approvers  before  granting  access  to  the  CASES  system.  The 
central  systems  administrator  for  CASES  completes  informal  user  access 
reviews  periodically.  However,  there  is  no  process  to  complete  regular 
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reviews  to  ensure  that  the  user  access  is  valid  based  on  the  job  function.  The 
CASES  administrator  in  Calgary  has  delegated  access  authority  to  all 
supervisors,  allowing  them  to  request,  approve  and  grant  user  access  to  staff 
in  their  area.  But  the  administrator  does  not  review  the  access  granted,  and 
there  is  no  process  to  periodically  review  user  access. 

Threat  risk  assessment 

The  Ministry's  Court  Services  division  maintains  an  inventory  of  IT  assets, 
but  does  not  group  them  by  business  function  or  classify  them  according  to 
the  criticality  and  sensitivity  of  information  they  support.  Further,  there  is  no 
documented  evidence  that  the  Ministry's  Court  Services  division  has  done 
threat  and  risk  assessments  for  these  assets.  According  to  policy  4  of  the 
Blueprint  "every  court  must  plan  and  conduct  a  regular  threat  and  risk 
assessment"  to  ensure  effective  safeguards  are  implemented  to  mitigate  the 
risk.  Although  the  Ministry  has  identified  the  CASES  system  as  critical,  the 
physical  environmental  controls,  and  the  location  of  the  server  are  not 
appropriate  to  house  a  critical  server  with  no  provision  for  system  recovery. 
Completing  a  threat  risk  assessment  would  identify  these  and  other  risks. 


Permissible 
computer 
monitoring  has 
not  been 
developed 


Log  monitoring 

Appropriate  network  devices  are  present  to  capture  and  log  network  traffic. 
However,  the  Ministry's  Court  Services  division  has  not  developed  or 
documented  policies  and  procedures  to  indicate  the  types  of  permissible 
computer  monitoring  which  will  not  significantly  threaten  judicial 
independence,  and  does  not  keep  the  logs  or  monitor  communications. 


Change 
management 
processes  are  not 
documented 


Change  management 

The  Ministry's  Court  Services  division  uses  an  informal  process  for  change 
management,  but  staff  don't  consistently  follow  it.  The  change  management 
process  does  not  require  appropriate  approvals  before  changes  are  made  in  the 
production  IT  systems.  In  addition,  there  is  no  segregation  of  duties  between 
developers  and  implementers — the  same  consulting  staff  members  are 
responsible  for  both  functions. 


Reliability  of 
information 
systems  may  be  at 
risk 


Implications  and  risks  if  recommendation  not  implemented 

Without  division-level  security  policies,  the  Ministry's  Court  Services 
division  won't  develop  or  enforce  consistent  policies  for  all  systems.  It  may 
give  inappropriate  access  to  CASES  if  it  does  not  regularly  approve  and 
review  IT  system  access.  Without  a  consistent  change  management  process 
for  the  IT  environment,  appropriate  scheduling,  ranking  and  impact 
assessment  of  changes  may  not  occur. 
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Unqualified 
opinion 


Municipal  Affairs  and  Housing 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  should  improve  their  general  computer  controls — see  page  1 38. 

Alberta  Social  Housing  Corporation  should  develop,  implement,  document  and 
communicate  procedures  to  support  its  capitalization  policy — see  page  137. 

Performance  reporting 

Our  auditor's  reports  on  the  Ministry's,  Department's  and  Alberta  Social  Housing 
Corporation's  financial  statement  for  the  year  ended  March  3 1 .  2007  arc 
unqualified.  We  found  no  exceptions  when  we  completed  specified  auditing 
procedures  on  the  Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

Performance  reporting 

Our  auditor's  reports  for  the  year  ended  December  31,  2006,  on  the  following 
financial  statements  are  unqualified: 

•  Improvement  Districts  4,  9,  12,  13  and  24 

•  Kananaskis  Improvement  District 

•  Special  Areas  Trust  Account 


Six  core 
businesses 


Overview  of  the  Ministry 

The  Ministry  financial  statements  include  the  Department  of  Municipal  Affairs 
and  Housing,  Alberta  Social  Housing  Corporation,  and  Safety  Codes  Council 
which  is  consolidated  on  a  modified  equity  basis. 


The  Ministry's  2006-2007  annual  report  describes  six  core  businesses: 
Local  Government  Services 
Safely  Services  and  Fire  Protection 
Emergency  Management  Alberta 
Municipal  Government  Board 

Provide  a  range  of  housing  options  and  supports  for  lower  income  Albertans 
Build  Community  Capacity 
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Ministry  spent  Ministry  expenses  for  2006-2007  were  $457  million  and  consisted  of: 
$457  million 

(millions  of  dollars) 


Housing  Services  $  215 

Local  Government  Services  98 

Debt  Servicing  60 

Public  Safety  26 

Community  and  Library  Services  24 

Grants  in  Kind  1 9 

Ministry  Support  Services  12 

Municipal  Government  Board  3 


$159  million  in        jhe  Ministry's  revenues  of  $159  million  include  a  $125  million  recovery  from  the 
federal  government  for  affordable  housing  programs. 

For  more  information  on  the  Ministry  and  its  programs,  visit  its  website  at 
www .  municipalaffairs .  go  v .  ab .  ca 


Systems  audits 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  followed  up  on  our  previous  recommendations  on  information 
technology  management  controls. 


Financial 
statements 


2.    Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  Department,  and  Alberta 
Social  Housing  Corporation  for  the  year  ended  March  3 1 ,  2007. 


Performance 
measures 


We  completed  specified  auditing  procedures  on  the  Ministry's  performance 
measures. 


3.   Other  entities  that  report  to  the  Minister 

We  audited  the  following  financial  statements  for  the  year  ended 
December  31,  2006: 
Other  entities  .     Improvement  Districts:  #  4,  9,  1 2,  1 3  and  24 

•  Kananaskis  Improvement  District 

•  Special  Areas  Trust  Account 
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Corporation  owns 
most  of  the 
properties  it  uses  to 
deliver  social 
housing  programs 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Alberta  Social  Housing  Corporation — capitalization  policy 
Recommendation 

We  recommend  that  the  Alberta  Social  Housing  Corporation  develop 
and  implement  procedures  to  support  its  capitalization  policy,  document 
them,  and  communicate  them  to  financial  services  staff  and  program 
staff. 

Background 

The  Corporation  owns  most  of  the  properties  it  uses  to  deliver  social  housing 
programs.  These  capital  assets  include  rental  properties,  surplus  land,  and 
surplus  rental  properties. 

The  Corporation  has  a  capitalization  policy,  which  is  disclosed  in  the  annual 
audited  financial  statements.  The  audited  financial  statements  also  include  the 
estimated  useful  life  ranges  for  the  Corporation's  capital  assets. 

The  Department  of  Municipal  Affairs  and  Housing  financial  services  does  the 
accounting  for  the  Corporation. 

Criteria:  the  standards  we  used  for  our  audit 

The  Corporation  should  have  procedures  to  support  its  capitalization  policy 
that  are  formally  documented,  approved,  and  communicated  to  all  appropriate 
financial  services  and  program  staff. 

The  Corporation  should  review  the  appropriateness  of  the  estimated  useful 
life  of  capital  assets  regularly  to  ensure  it  continues  to  appropriately  and 
accurately  reflect  the  useful  life  of  the  Corporation's  capital  assets. 


Procedures  are 
needed  to  provide 
staff  with  guidance 
on  how  to  apply  the 
capital  asset  policy 


Our  audit  findings 

The  Corporation  does  not  have  formal  documented  procedures  to  support  its 
capitalization  policy  to  ensure  the  consistent  and  appropriate  reporting  of  its 
housing  properties. 

Currently  program  staff,  separate  from  financial  services  staff,  are  responsible 
to  identify  and  communicate  any  acquisitions  and  disposals  to  financial 
services  staff  to  ensure  they  are  recorded  for  financial  reporting  purposes. 
However,  there  are  no  formal  procedures  or  guidance  on  how  this  should  be 
done. 
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Capitalization  criteria  are  not  communicated  to  appropriate  program  staff  to 
ensure  that  they  can  appropriately  and  promptly  identify  and  communicate 
acquisitions  and  disposals  to  financial  services  staff.  Program  staff  are  not 
always  aware  of  the  accounting  implications  associated  with  acquisitions  and 
disposals.  Program  staff  do  not  know  which  date  to  use  when  identifying  an 
asset  disposal. 

The  current  estimated  useful  lives  of  capital  assets  are  assessed  as  up  to 
50  years.  The  Corporation  does  not  regularly  assess  the  appropriateness  of  the 
estimated  useful  lives  of  capital  assets — used  to  calculate  the  amortization 
expense  for  housing  properties. 

Implications  and  risks  if  recommendation  not  implemented 

Capital  asset  balances  in  the  Corporation's  financial  statements  may  be 
misstated. 

1.2  Information  Technology  management  controls  follow  up — 
recommendation  repeated 

We  first  made  this  recommendation  in  our  2003-2004  Annual  Report 
(page  265).  Management  agreed  to  this  recommendation  and  planned  to  fully 
implement  it  by  March  13,  2007.  It  has  not  been  implemented  yet. 

Recommendation 

We  again  recommend  that  the  Ministry  of  Municipal  Affairs  and 
Housing  approve  its  draft  security  policies,  and  implement  procedures  so 
that  only  authorized  users  can  access  the  Ministry's  systems  and  data. 

We  also  again  recommend  that  the  Ministry: 

•  implement  a  risk  assessment  framework  to  manage  information 
technology  risks,  and 

•  obtain  independent  assurance  on  the  outsourced  computer  general 
control  environment. 


Capitalization 
criteria  not 
communicated 


Responsible  for 
systems  that  store 
and  process 
province  wide 
information 


Background 

The  Ministry  is  responsible  for  managing  over  40  information  systems  that 
store  and  process  information  for  the  province.  Some  of  the  systems  store 
critical  information  such  as  information  on  emergency  management. 
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The  Ministry  has  outsourced  the  responsibility  for  managing  application 
development  and  database  administration  of  these  and  other  systems  to  a 
service  provider.  The  outsourced  environment  is,  in  effect,  an  extension  of 
the  Ministry's  control  environment.  The  quality  of  the  Ministry's  control 
environment  depends  on  effective  controls  being  maintained  by  the  sen  ice 
providers. 

A  risk  assessment  of  information  systems  includes  identifying  risks  to 
information  security  and  then  reviewing  internal  controls  to  adequately 
mitigate  these  risks 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry's  information  technology  environment  should  meet  industry 
standards  of  control  to  protect  the  confidentiality,  integrity  and  availability  of 
information.  To  ensure  this  happens,  the  Ministry  should: 

•  develop  comprehensive  policies  and  procedures  for  the  operations, 
maintenance  and  security  of  its  systems; 

•  implement  a  risk  assessment  framework  to  identify  and  manage 
information  technology  risk;  and 

•  implement  procedures  to  obtain  assurance  on  the  adequacy  of  controls  in 
the  outsourced  environment. 

Our  audit  findings 

In  2005-2006,  the  Ministry  ranked  its  systems,  based  on  criticality,  from  high 
impact  to  low  impact.  The  Ministry  also  developed  a  template  that  can  be 
used  to  identify  information  security  risks  and  document  controls  in  place  to 
mitigate  these  risks.  However,  the  Ministry  has  not  populated  the  template 
with  risks  that  are  specific  to  its  information  systems.  The  Ministry  also  has 
not  reviewed  its  controls  to  ensure  they  are  adequate. 

The  Ministry  is  currently  using  a  security  policy  that  is  out-of-date.  For 
example,  the  security  policy  does  not  include  requirements  to: 

•  monitor  for  unauthorized  access  and  other  security  events 

•  test,  configure  and  maintain  network  systems  and  physical  environments, 
on  a  regular  basis,  to  prevent  the  threat  of  breaches  in  security. 

The  Ministry  has  not  obtained  independent  assurance  on  the  outsourced 
service  provider's  computer  control  environment. 

The  Ministry  drafted  a  new  security  policy  in  2005  -2006  that  includes  these 
and  other  requirements  but  has  not  approved  or  implemented  this  new  policj 
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To  fully  implement  these  recommendations,  the  Ministry  needs  to: 
What  remains  •     complete  its  risk  assessments  and  review  the  adequacy  of  its  controls 

based  on  the  risk  assessments; 

•  approve  and  implement  its  information  security  policy,  develop 
procedures  and  ensure  compliance  with  policies  and  procedures;  and 

•  obtain  independent  assurance  on  the  outsourced  application  maintenance 
environment.  This  assurance  can  be  a  formal  report  such  as  Section  5970 
report,  a  Systrust,  or  a  review  completed  by  qualified  individuals 
independent  of  the  service  provider. 

2.  Performance  reporting 

2.1  Financial  statements 

We  issued  unqualified  opinions  on  the  Ministry's,  Department's  and  Alberta 
Social  Housing  Corporation's  financial  statements  for  the  year  ended 
March  31,  2007. 

2.2  Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures 
on  the  Ministry's  performance  measures. 

3.  Other  entities 
3.1  Performance  reporting 

We  issued  unqualified  opinions  on  the  following  financial  statements  for  the 
year  ended  December  3 1 ,  2006: 

•  Improvement  Districts  #  4,  9,  12,  13  and  24 

•  Kananaskis  Improvement  District 

•  Special  Areas  Trust  Account 
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Seniors  and  Community  Supports 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  should  improve  its  general  computer  controls — see  page  143. 
Performance  reporting 

Our  auditor's  reports  for  the  Ministry  and  Department  are  unqualified— see- 
page 144. 

We  found  one  exception  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures — see  page  144. 

Other  entities  that  report  to  the  Minister 

•     Performance  reporting 

The  financial  statements  of  all  Persons  with  Developmental  Disabilities  Boards 
(provincial  and  community)  have  unqualified  auditor's  reports — see  page  144. 


Overview  of  the  Ministry 

The  Ministry  consists  of  the  Department  and  the  six  Persons  with  Developmental 
Disabilities  Community  Boards  (the  Community  Boards).  Effective  July  1,  2006, 
the  Province  of  Alberta  dissolved  the  Provincial  Board  and  transferred  its  functions 
to  the  Ministry. 

The  Ministry  is  responsible  for: 

•  providing  services,  programs  and  planning  for  seniors  and  the  aging  population 

•  providing  supports,  services  and  planning  for  persons  with  disabilities 

Ministry  received   The  Ministry  received  $  1 7 1  million  in  2006-2007,  $  1 6 1  million  of  which  came 
171  million        from  transfers  from  me  Government  of  Canada. 
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Ministry  spent       in  2006-2007,  the  Ministry  spent  $  1 .6  billion,  primarily  as  follows: 
$  1  6  blllion  (millions  of  dollars) 

Senior  services  $  355 

Support  for  persons  with  disabilities  541 
Community  supports  506 

For  more  information  on  the  Ministry,  visit  its  website  at  www.seniors.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  and  Department  for  the 
year  ended  March  31,  2007. 

We  completed  specified  auditing  procedures  on  the  performance  measures  in 
the  Ministry's  2006-2007  annual  report. 

2.  Other  entities  that  report  to  the  Minister 

We  audited  the  financial  statements  of  the: 

•  Persons  with  Developmental  Disabilities  Provincial  Board  (April  1  to  June 
30,  2006. 

•  Persons  with  Developmental  Disabilities  Northwest  Region  Community 
Board 

•  Persons  with  Developmental  Disabilities  Northeast  Region  Community 
Board 

•  Persons  with  Developmental  Disabilities  Edmonton  Region  Community 
Board 

•  Persons  with  Developmental  Disabilities  Central  Region  Community 
Board 

•  Persons  with  Developmental  Disabilities  Calgary  Region  Community 
Board 

•  Persons  with  Developmental  Disabilities  South  Region  Community  Board 
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Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  General  computer  controls 
Recommendation 

We  recommend  that  the  Ministry  of  Seniors  and  Community  Supports 
improve  general  computer  controls  by: 

•  identifying  and  protecting  data  based  on  its  sensitivity, 

•  following  change  management  procedures, 

•  reviewing  database  logs,  and 

•  reviewing  user  access  to  applications. 

Background 

Our  financial  statement  audit  work  included  an  examination  of  the  Ministry's 
general  computer  controls.  Our  audit  focused  on  the  network,  facilities, 
hardware  and  software  that  are  specific  to  the  Ministry.  Common  government 
applications  such  as  IMAGIS,  EPS  and  ExClaim,  the  government  network,  and 
other  shared  services  are  included  in  the  audit  of  Service  Alberta. 


84  control 

activities 

examined 


We  evaluated  84  general  control  activities  for  the  Ministry.  For  each  control 
activity,  we  assessed  whether  the  control  was  effective  or  ineffective.  To  be 
assessed  as  effective,  a  control  activity  should  be  designed  to  mitigate  an 
identified  risk  and  have  operated  effectively  throughout  the  year. 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  have  appropriate  controls  over  its  computer  processing 
environment  to  ensure  the  security,  integrity  and  availability  of  financial 
information  being  reported. 


17  controls 
ineffective 


Our  audit  findings 

Of  the  84  general  control  activities  that  we  examined,  we  assessed  1 7  as 
ineffective.  These  control  activities  range  from  general  security  practices  to 
establishing  policies  and  procedures  to  manage  IT  risks  faced  by  the  Ministry. 
Four  of  the  ineffective  controls  relate  to  disaster  recovery  planning  and  another 
seven  ineffective  controls  are  the  responsibility  of  Service  Alberta  as  outlined 
in  the  shared  services  agreement. 


Weaknesses  in 
security,  access 
and  change 
management 
controls 


The  following  control  weaknesses  and  deviations  were  identified: 

•  Ministry  data  is  not  classified  by  sensitivity,  however  a  security  policy  is 
being  developed  that  will  resolve  this  issue. 

•  The  Ministry  does  not  have  a  process  to  review  users'  access  to 
applications. 

•  Database  and  network  logs  are  generated  but  are  not  being  reviewed. 
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•  A  change  management  process  exists  but  is  not  followed  consistently. 

•  A  process  for  testing  backup  tapes  does  not  exist. 

Implications  and  risks  if  recommendation  not  implemented 

Without  appropriate  IT  controls  that  are  documented  and  followed,  the 
Ministry  may  not  be  able  to  rely  on  its  data,  applications,  and  systems  to 
provide  complete,  accurate,  and  valid  information  that  is  appropriately 
safeguarded.  Poor  controls  over  computer  systems  can  result  in  unauthorized 
individuals  gaining  access  to  confidential  information  and  exploiting  it  for 
identity  theft  or  other  fraudulent  activity. 

2.  Performance  reporting 

2.1  Financial  statements 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry  and 
Department  are  unqualified. 

2.2  Performance  measures 

We  found  one  exception  when  we  completed  specified  auditing  procedures  on 
the  Ministry's  performance  measures.  Data  was  not  reported  for  the  new 
measure  titled,  Eligibility  Decision  Time  in  Working  Days  for  AISH 
Applications.  As  a  result,  we  were  unable  to  complete  our  specified  auditing 
procedures  for  this  measure. 

3.  Other  entities  that  report  to  the  Minister 
3.1  Financial  statements 

The  financial  statements  for  the  Persons  with  Developmental  Disabilities 
Provincial  Board  and  the  six  Community  Boards  received  unqualified  auditor's 
reports. 

Our  auditor's  report  on  the  financial  statements  of  the  Calgary  Region 
Community  Board  has  an  information  paragraph  reporting  that  expenses 
include  payments  by  the  Community  Board  for  services  to  individuals  whose 
disability  did  not  meet  the  legal  definition  of  a  developmental  disability.  The 
Community  Board  provided  services  to  individuals — and  funding  to 
organizations — that  fall  outside  of  the  parameters  set  by  the  Persons  with 
Developmental  Disabilities  Community  Governance  Act. 


Unqualified 
opinions 


Unqualified 
opinion 


Non-compliance 
with  legislation 
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Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  of  Service  Alberta  should  work  with  its  client  ministries  to  ensure  that 
the  service  level  agreements  relating  to  information  technology  are  current,  clarify  the 
level  of  services,  and  define  roles  and  responsibilities  of  each  party — see  page  146. 

We  repeat  our  recommendation  that  Service  Alberta  should  ensure  that  the  systems  it 
administers  comply  with  the  Alberta  government's  standards  for  computer  security- 
see  page  148. 

We  repeat  our  recommendation,  made  in  a  2004  management  letter,  that  Service 
Alberta  should  regularly  complete  risk  assessments  for  central  data  centre  assets— see 
page  149. 

Performance  reporting 

Our  auditor's  report  on  the  Ministry  financial  statements  for  the  year  ended 

March  31,  2007  is  unqualified.  We  found  no  exceptions  when  we  completed  specified 

auditing  procedures  on  the  Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the  employee 
benefits  plans  listed  in  section  3  of  Scope. 


3  core 
businesses 


Overview  of  the  Ministry 


The  Ministry  has  three  core  businesses: 

•  Service  to  Albertans 

•  Service  to  government  departments 

•  Personnel  administration  (now  known  as  Corporate  Human  Resources) 


Ministry  spent    [n  2006-2007,  the  Ministry  spent  $330  million,  including  $261  million  on  services  to 
nn  ion      government  departments  and  personnel  administration. 


Ministry 
received  $437 
million 


The  Ministry's  revenue  from  sources  external  to  the  government  in  2006-2007  was 
$437  million.  This  amount  was  primarily  motor  vehicle  driver's  licence  and  vehicle 
registration  fees. 


For  more  details  on  the  Ministry,  visit  its  website  at  www.servicealberta.gov.ab.ca 
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Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  service  level  agreements  that  Service  Alberta  enters  into  with 
its  client  ministries. 

We  also  followed  up  on  our  previous  years'  recommendations  for  Service 
Alberta  to: 

•  ensure  the  systems  it  administers  comply  with  the  Alberta  government's 
standards  for  computer  security 

•  regularly  complete  risk  assessments  for  central  data  centre  assets 

•  administer  its  clients'  antivirus  software  in  accordance  with  its  service  level 
agreements  and  Alberta  government's  requirements 

•  document  and  log  its  backup  and  related  procedures 

•  work  with  other  ministries  to  optimize  IMAGIS  use 

2.  Performance  reporting 

We  audited  Ministry  of  Service  Alberta  financial  statements  for  the  year  ended 
March  31,  2007.  We  completed  specified  auditing  procedures  on  the  Ministry's 
performance  measures. 

3.  Other  entities  that  report  to  the  Minister 

We  audited  the  financial  statements  of  the  following  employee  benefit  plans: 

•  Long  Term  Disability  Income  Continuance  Plan — Bargaining  Unit  and  Long 
Term  Disability  Income  Continuance  Plan — Management,  Opted  Out  and 
Excluded  for  the  year  ended  March  31,  2007 

•  Government  of  Alberta  Dental  Plan  Trust  for  the  year  ended 
December  31,  2006 

•  Government  Employees'  Group  Extended  Medical  Benefits  Plan  Trust  for 
the  year  ended  December  3 1 ,  2006 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Service  level  agreements  between  Service  Alberta  and  its  client  ministries 
(relating  to  information  technology) 
Recommendation  No.  32 

We  recommend  that  the  Ministry  of  Service  Alberta,  working  with  its  client 
ministries,  revise  their  information  technology  service  level  agreements  to: 

•  ensure  that  the  agreements  are  current 

•  clarify  the  level  of  services  provided  in  each  service  category 

•  define  the  roles  and  responsibilities  of  each  party 
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In  certain  ministries  where  we  examined  their  outsourcing  processes,  we  made 
recommendations  for  improvement.  Some  of  these  recommendations  relate  to  the 
ministries'  agreements  with  Service  Alberta — see  pages  60,  129,  138,  143.  154 
and  172. 


Service 
Alberta 
provides 
services  to 
other 

government 
ministries 


Background 

Service  Alberta  provides  services  to  Alberta  government  ministries  through  its 
Edmonton  and  Calgary  central  computing  centres,  and  through  distributed 
computing  sites,  co-located  at  Government  of  Alberta  (GOA)  ministry  facilities. 
It  offers  the  following  services: 


Services 

Central 
Shared 
Services 

Distributed 

Computing  Sites 

Operations 

V 

V 

Performance  and  Capacity  Management 

V 

V 

Problem  and  Change  Management 

V 

V 

Security  Management 

V 

V 

Data  Base  Management 

Optional 

Business  Continuity  and  Disaster  Recovery 

V 

Optional 

Account  Management 

V 

Asset  Management 

V 

The  service  level  agreement  between  Service  Alberta  and  each  client  ministry 
defines  the  services  that  Service  Alberta  is  to  deliver. 

Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should: 

•  have  a  current  service  level  agreement  with  each  client  ministry  that 
documents  the  services  that  the  client  ministry  requires 

•  use  the  service  level  agreement  with  each  client  ministry  to  document  the 
level  of  service  it  will  provide  in  each  service  category 

•  report  to  client  ministries  on  its  compliance  with  all  security  policies 

•  clearly  define  roles  and  responsibilities  of  Service  Alberta  and  the  client 
ministries  for  service  delivery  and  management 


Agreements 
not  current 

Level  of 
services 
offered  not 
clear 


Our  audit  findings 

•  Service  Alberta  does  not  have  current  service  level  agreements  with  its  client 
ministries. 

•  Service  Alberta  offers  different  types  of  services  to  client  ministries,  but  the 
service  level  agreements  do  not  clearly  state  the  level  of  service  agreed  on. 
For  example,  Service  Alberta  offers  levels  described  as  Gold,  Silver,  Bronze 
and  Best  Effort  for  the  Business  Continuity  and  Disaster  Recover  services; 
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however,  the  service  level  agreements  do  not  indicate  the  level  of  service 
contracted  for.  This  finding  applies  to  all  ministries. 

•  Service  Alberta  provides  security  management  through  the  service  level 
agreement  which  states  "  ...ensure  security  is  maintained  for  GO  A/  Ministry 
policies,  procedures  and  legislation  for  on-going  operations  or  when 
introducing  changes.'"  However,  Service  Alberta  does  not  do  regular  risk 
assessments  of  its  operational  environments.  As  a  result,  it  cannot  show  that 
it  maintains  the  security  of  the  operational  environment  as  the  service  level 
agreement  requires.  This  finding  applies  to  all  ministries. 

•  Service  level  agreements  do  not  clearly  define  roles  and  responsibilities  for: 

•  maintaining  adequate  security  for  server  rooms 

•  administering  change-management  processes 

•  implementing  network  access  administration  and  management  controls 

Implications  and  risks  if  recommendation  not  implemented 

If  Service  Alberta  does  not  maintain  current  and  detailed  service  level 
agreements  with  its  client  ministries,  there  is  a  risk  that  required  services  may  not 
be  delivered,  resulting  in  insecure  environments  and  wasted  resources. 

Because  the  client  ministries  may  not  receive  the  right  services,  the  ministries 
cannot  be  certain  that  they  are  protecting  their  confidential  information. 

1.2  Security  administration  for  shared  services  at  distributed  sites — 
recommendation  repeated 

We  repeat  our  2005-2006  recommendation  because  Service  Alberta  has  not 
improved  IT  security. 

Recommendation 

We  again  recommend  that  the  Ministry  of  Service  Alberta  ensure  that  the 
systems  it  administers  comply  with  the  Alberta  government's  standards  for 
computer  security. 

Background 

In  our  2005-2006  Annual  Report  (Volume  2,  page  165),  we  recommended  that 
Service  Alberta  ensure  the  systems  it  administers  comply  with  the  Alberta 
government's  Identity  and  Authentication  Standard.  Service  Alberta  maintains 
and  authenticates  passwords  throughout  the  Government  of  Alberta  (GOA)  and  is 
also  the  system  administrator  for  other  government  entities'  applications  and 
data. 


Risks  not 
identified 


Roles  and 
responsibilities 
not  clear 
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Standards 
defined 


Standards  not 
met 


Website 
security  needs 
improvement 


The  GOA  Identity  and  Authentication  Standard  defines  acceptable  password 
controls.  The  GOA  Information  Technology  Baseline  Security  Requirements 
policy  states  that  "passwords  must  not  be  transmitted  in  clear  text1'  and  requires 
that  Service  Alberta  "ensure  threats  and  vulnerabilities  of  networks  and  systems 
do  not  reduce  the  government 's  security.'" 

Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should  ensure  that: 

•  the  systems  it  administers  comply  with  the  GOA  standards 

•  websites  and  servers  it  maintains  adequately  protect  user  names  and 
passwords  transmitted  over  computer  networks,  and  allow  users  to  easily 
verify  the  authenticity  of  such  sites 

Our  audit  findings 

The  systems  that  Service  Alberta  administers  still  do  not  meet  the  GOA  Identity 
and  Authentication  Standard  in  terms  of  requiring  strong  password  controls. 

Service  Alberta  does  not  have  adequate  security  over  its  websites  to  protect  its 
users.  Although  Service  Alberta  planned  to  improve  website  security,  it  made  no 
progress  in  2007  in  resolving  any  of  the  problems  we  identified  last  year. 


Implications  and  risks  if  recommendation  not  implemented 

Weak  password  controls  make  it  easier  for  unauthorized  people  to  access,  view, 
and  change  confidential  information  in  systems  that  Service  Alberta  administers. 

Poorly-secured  websites  that  do  not  allow  their  authenticity  to  be  easily  verified 
increase  the  risk  of  fake  government  websites  being  created  to  scam  the  public 
into  giving  them  personal  information. 

1 .3  Risk  assessment  for  central  data  centre  assets 

This  recommendation,  first  made  in  2004  in  a  management  letter,  is  repeated 
since  the  rate  of  progress  in  implementation  is  too  slow. 


Recommendation 

We  recommend  that  the  Ministry  of  Serv  ice  Alberta  regularly  complete  risk 
assessments  for  central  data  centre  assets  that  are  key  to  providing  critical 
services. 


Background 

In  2004,  we  recommended  that  Service  Alberta  complete  a  risk  assessment  for 
the  data  centre  operations.  In  2005,  Service  Alberta  began  performing  IT  risk 
assessments  but  was  unable  to  complete  the  assessments. 
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Criteria:  the  standards  we  used  for  our  audit 

To  provide  critical  services  to  client  ministries,  Service  Alberta  should: 

•  regularly  identify  risks  of  providing  services 

•  implement  controls  to  mitigate  identified  risks 

Our  audit  findings 

Service  Alberta  is  completing  risk  assessments  for  new  systems  or  when  major 
changes  occur  to  current  systems.  However,  Service  Alberta  is  not  perfonning 
risk  assessments  for  all  systems  that  provide  critical  services. 

To  implement  this  recommendation,  Service  Alberta  should: 

•  assign  ownership  to  identified  individuals  for  all  critical  services  provided  by 
Service  Alberta  to  its  client  ministries 

•  adopt  risk  management  as  an  active  process  by  completing  risk  assessments 
regularly 

•  create  a  plan  to  complete  risk  assessments  for  critical  assets 

•  develop  a  risk  action  plan  to  manage  the  risks  identified 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  comprehensive  risk  assessment,  Service  Alberta  cannot  be  confident 
that  security  threats,  potential  vulnerabilities  and  impacts  have  been  identified 
and  evaluated,  and  that  appropriate  security  and  internal  control  safeguards  for 
reducing  or  eliminating  identified  risk  have  been  considered  and  deployed. 

1.4  Antivirus  updates — implemented 
Background 

In  our  2005-2006  Annual  Report  (Volume  2,  page  167),  we  recommended  that 
Service  Alberta  administer  its  clients'  antivirus  software  in  accordance  with  its 
service  level  agreements  and  Government  of  Alberta  requirements. 

Our  audit  findings 

Service  Alberta  implemented  our  recommendation.  Sample  servers  and  desktops 
supported  by  Service  Alberta  use  approved  antivirus  software  to  protect  against 
viruses.  In  addition,  Service  Alberta  implemented  a  process  to  monitor  critical 
servers  to  ensure  that  virus  signatures  are  kept  current  for  these  servers.  It  also 
completes  a  periodic  scan  on  workstations  to  verify  the  signatures  installed. 

1.5  Documented  procedures  and  logs — implemented 
Background 

In  our  2005-2006  Annual  Report  (Volume  2,  page  169),  we  recommended  that 
Service  Alberta  document  and  log  its  backup-related  procedures.  This  would  let 
alternate  staff  perform  complex  and  routine  tasks  consistently,  even  when  the 
staff  primarily  responsible  for  this  function  are  unavailable. 


Service 

Alberta  should 
protect  against 
viruses 


Service 

Alberta 

implemented 

adequate  virus 

protection 

processes 


Service 

Alberta  should 
document 
backup 
procedures 
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Procedures  are 
documented 


Our  audit  findings 

Service  Alberta  has  now  documented  procedures  for  backup  testing  and 
transportation  of  archive  data  to  offsite  storage.  It  uses  the  central  shared  services 
incident  management  process  to  record  unusual  events  that  result  in  backup  and 
restoration  errors. 


IMAGIS  use 
not  optimized 


1.6  Alberta  Government  Integrated  Management  Information  System 
(IMAGIS)  use — implemented 
Background 

On  page  199  of  our  2002-2003  Annua/  Report,  we  recommended  that  the  Deputy 
Minister  of  Innovation  and  Science  work  with  other  deputy  ministers  to  optimi/e 
the  use  of  IMAGIS.  Responsibility  for  implementing  this  recommendation  now 
belongs  to  Service  Alberta. 


Government's 
main  financial 
system 


IMAGIS  (a  customized  version  of  PeopleSoft)  is  the  computer  system  that 
ministries  use  to  process  financial  transactions,  including  payments  for  supplies, 
services  and  payroll.  It  also  produces  the  accounting  records  that  ministries  rely 
on  to  prepare  their  financial  statements.  Alberta  Finance  uses  IMAGIS  to  prepare 
the  province's  financial  statements. 


Completed 
criteria  to 
optimize 
IMAGIS  use 


Unqualified 
opinions 


Our  audit  findings 

Service  Alberta  implemented  this  recommendation  by  completing  and  approving 
the  criteria  to  evaluate  the  cost  effectiveness  of  using  existing  legacy  systems  or 
developing  new  computer  systems  when  IMAGIS  has  parallel  capabilities.  All 
government  ministries  will  use  the  criteria. 

Performance  Reporting 

Our  auditor's  report  on  the  Ministry  financial  statements  is  unqualified.  We 
found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

We  issued  unqualified  audit  opinions  on  the  financial  statements  of  the  employee 
benefit  plans  listed  in  section  3  of  Scope. 
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Solicitor  General  and  Ministry  of 
Public  Security 

Summary:  what  we  found  in  our  audits 

Systems 

The  Department's  information  technology  change  management  process  and  business 
continuity  planning  should  be  improved — see  page  154. 

Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  the  Department,  the 
Victims  of  Crime  Fund,  the  Alberta  Gaming  and  Liquor  Commission,  and  the  Lottery 
Fund  are  unqualified.  We  found  no  exceptions  when  we  completed  specified  auditing 
procedures  on  the  Ministry's  performance  measures. 


Four  core 
businesses 


Overview  of  the  Ministry 


The  Ministry's  2006-2009  business  plan  describes  four  core  businesses: 

•  Policing,  crime  prevention  and  response  to  organized  crime 

•  Custody,  supervision  and  rehabilitative  opportunities  for  offenders 

•  Security  services 

•  Victims  programs  and  services 

The  government  of  Alberta  reorganized  during  2006-2007  and  the  Ministry  now 
includes  the  Alberta  Gaming  and  Liquor  Commission  and  the  Lottery  Fund. 


Ministry 
received 
$2.3  billion 


Ministry 
spent  $2 
billion 


Total  revenue  for  the  Ministry  was  $2.3  billion  in  2006-2007.  The  Ministry's  main 
revenue  sources  are: 

(millions  of  dollars) 

Lottery  revenue  $1,534 
Liquor  and  related  revenue  658 

The  total  operating  expenses  for  the  Ministry  were  $2  billion  in  2006-2007,  comprised 
mainly  of: 

(millions  of  dollars) 

Lottery  Fund  and  payments  to  Ministries  $  1 ,547 

Public  Security  255 
Correctional  services  158 
Victims  of  crime  18 
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For  more  detail  on  the  Ministry,  visit  its  website  at  www.solgen.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  Department  of  Solicitor  General  and  Public  Security's  controls 
over  its  information  technology  environment. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  the  Department,  the  Victims  of 
Crime  Fund,  the  Alberta  Gaming  and  Liquor  Commission,  and  the  Lottery  Fund 
for  the  year  ended  March  31,  2007.  We  completed  specified  auditing  procedures  on 
the  Ministry's  performance  measures. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Change  Management 
Recommendation 

We  recommend  that  the  Department  of  Solicitor  General  and  Public  Security 
improve  its  change  management  process  to  include  changes  to  its  information 
technology  environment  made  by  service  providers. 

Background 

The  Department  uses  three  main  applications  to  manage  its  operations.  These 
applications  are: 

•  Correctional  Management  Information  System  (COMIS) 

•  Employee  Time  Management  System  (ETMS) 

•  Alberta  Community  Offender  Management  system  (ACOM) 

The  Department  manages  changes  to  COMIS  and  Service  Alberta  manages 
changes  made  to  ETMS  and  ACOM.  The  Department  has  also  outsourced 
information  technology  (IT)  infrastructure  support  to  Service  Alberta  and  relies 
heavily  on  the  availability  of  its  network  to  deliver  services  to  its  business  units. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  ensure  that  all  changes  to  its  IT  environment  follow  a 
documented  change  management  process  that  appropriately  ranks  and  schedules 
the  changes,  and  assesses  their  impact. 


Three  main 
applications 
are  used 


Department 
and  Service 
Alberta  both 
manage 
changes 
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Change 
management 
processes 
not 

consistent 


Correction 
of 

deficiencies 
has  begun 


Our  audit  findings 

Although  COMIS  has  a  documented  change  management  process,  which  is 
consistently  followed,  ETMS  and  ACOM  do  not.  Service  Alberta  does  not  always 
inform  the  Department  of  infrastructure  changes.  Consequently,  before  these 
changes  are  implemented,  the  Department  cannot  consider  their  effects  on  the  IT 
environment  or  assess  their  impact. 

The  Department  has  started  to  correct  some  of  these  deficiencies  through  regular 
working  committees  for  ETMS  and  ACOM.  These  committees  discuss  and  approve 
changes  to  ETMS  and  ACOM.  In  addition,  the  Department  is  in  the  preliminary 
stages  of  creating  a  Project  Management  Office  that  will  define  a  standard  project 
management  process  for  all  IT  projects. 


Implications  and  risks  if  recommendation  not  implemented 

Without  a  consistent  change  management  process  to  make  changes  to  the  IT 
environment,  which  all  teams  follow,  appropriate  scheduling,  ranking  and  impact 
assessment  of  changes  may  not  occur.  This  could  disrupt  normal  operations  and 
decrease  the  reliability  of  Department  information  systems. 

1.2  IT  Business  Continuity  Plan 
Recommendation 

We  recommend  that  the  Department  of  Solicitor  General  and  Public  Security 
develop  procedures  to  implement  its  business  continuity  plan  to  ensure  it  can 
recover  its  information  technology  operations  within  required  timeframes  in  a 
disaster. 


Business 
Continuity 
Plan  exists 


Background 

The  Department  has  a  documented  Business  Continuity  Plan  (BCP)  that  lists 
several  business  units  as  "critical."  The  high-level  information  technology  (IT) 
Business  Continuity  Plan  document  is  supposed  to  allow  restoration  of  the 
Department's  critical  applications  in  a  disaster.  All  of  the  Department's  critical 
applications  are  hosted  at  Service  Alberta's  Edmonton  central  computing  centre. 

Criteria:  the  standards  we  used  for  our  audit 

The  IT  Business  Continuity  Plan  should  include  the  following  key  procedures: 

•  Determining  IT  recovery  requirements  based  on  the  importance  of  business 
processes,  as  identified  in  the  BCP 

•  Establishing  and  implementing  backup  and  recovery  methodology  and 
techniques  based  on  recovery  requirements 

•  Co-ordinating  and  establishing  appropriate  recovery  capabilities  with  service 
providers  based  on  recovery  requirements 

•  Testing  the  schedule  to  periodically  validate  recovery  capabilities  and 
timeframes 
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Guidance  on 
recovery 
needs  to  be 
prepared 


Periodic 
testing 
should  be 
perfonned 


Our  audit  findings 

The  Department's  high-level  IT  Business  Continuity  Plan  does  not  include: 

•  identification  of  business  processes  identified  in  the  BCP,  associated 
applications  and  IT  infrastructure  for  each  critical  business  unit 

•  appropriate  guidance  to  aid  in  the  recovery  of  critical  data  from  backups. 
COMIS  has  documented  backup  and  recovery  options  in  the  procedures 
manual,  but  these  are  not  included  in  the  plan,  nor  does  the  plan  include 
backup  and  recovery  documentation  for  other  critical  applications 

•  established  recovery  capabilities  agreed  to  with  the  service  provider,  Service 
Alberta 

•  periodic  tests  to  validate  that  the  Department  will  be  able  to  recover  its  critical 
applications  and  associated  infrastructure  within  the  required  timelines. 

Implications  and  risks  if  recommendation  not  implemented 

If  the  Department  does  not  have  a  documented,  functional  IT  business  continuity 
plan  in  place,  it  will  not  be  able  to  systematically  recover  data  within  required 
timeframes.  As  a  result,  it  will  not  be  able  to  minimize  the  problems  that  a  service 
disruption  may  cause. 
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Sustainable  Resource  Development 

Summary:  what  we  found  in  our  audits 

Systems 

The  Department  should  evaluate  whether  government  objectives  could  be  met  by 
introducing  requests  for  proposals  from  all  interested  parties  whenever  an  entity 
applies  to  put  substantial  improvements  on  public  land — see  page  163. 

Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  the  Department 
and  the  Environmental  Protection  and  Enhancement  Fund  are  unqualified.  We 
found  one  exception  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

Other  entities  that  report  to  the  Minister 

The  Natural  Resources  Conservation  Board  should  rank  its  compliance  and 
enforcement  activities  for  confined  feeding  operations  based  on  risk — see 
page  167. 

We  issued  an  unqualified  auditor's  report  on  the  Natural  Resources  Conservation 
Board  financial  statements. 


Overview  of  the  Ministry 

Ministry  entities     jfe  Ministry  of  Sustainable  Resource  Development  consists  of  the  Department  of 
Sustainable  Resource  Development,  the  Natural  Resources  Conservation  Board, 
the  Surface  Rights  Board,  the  Land  Compensation  Board  and  the  Environmental 
Protection  and  Enhancement  Fund.  The  Ministry  has  also  delegated  administration 
for  certain  legislative  responsibilities  to  three  delegated  administrative 
organizations:  the  Alberta  Conservation  Association,  the  Forest  Resource 
Improvement  Association  of  Alberta,  and  the  Alberta  Professional  Outfitters 
Society. 

The  Ministry's  key  activities  include: 
Key  activities        Wildfire  management:  protects  the  benefits  received  from  forests,  supports 

programs  promoting  responsible  forest  management  and  prevents  and  suppresses 
wildfires. 

Natural  resources  and  public  land  management:  integrates  planning  and 
management  practices  to  develop  common  goals  for  ecological  systems  that  cross 
multiple  stakeholders  and  demands. 
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Land,  access  and  compensation  boards: 

•  Natural  Resources  Conservation  Board  (NRCB) — conducts  independent 
public  reviews  of  major  non-energy  projects  affecting  Alberta's  natural 
resources  and  regulates  new  or  expanding  confined  feeding  operations 

•  Surface  Rights  Board — conducts  hearings  when  an  operator  and  a  landowner 
or  an  occupant  fail  to  reach  an  agreement  regarding  entry  or  compensation 
related  to  resource  activity  on  privately  owned  land  or  occupied  public  lands. 

•  Land  Compensation  Board — determines  compensation  when  landowners' 
property  is  expropriated  by  a  public  authority 


Ministry  earned 
$138  million 


The  Ministry  earned  $138  million  in  2006-2007.  The  largest  source  of  revenue 

was: 

(millions  of  dollars) 

Premiums,  fees  and  licenses  $  122 


Ministry  spent 
$471  million 


In  2006-2007,  the  Ministry  spent  $471  million  on  the  following: 

(millions  of  dollars) 

Wildfire  management  $  269 

Natural  resources  and  public  land  management  1 8 1 

Land,  Access  and  Compensation  Boards  9 

Ministry  support  services  and  valuation  adjustments  10 

Environment  statutory  programs  2 


For  more  details  on  the  Ministry,  visit  its  website  at  www.srd.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  the  Department's  process  to  determine  the  sales  price  of 
property  at  Elinor  Lake. 

We  followed-up  the  Department's  implementation  of  our  2003  contracting 
recommendation. 

We  followed-up  the  Natural  Resources  Conservation  Board's  implementation 
of  our  2004  recommendation  for  confined  feeding  operations. 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  the  Department  and  the 
Environmental  Protection  and  Enhancement  Fund  for  the  year  ended 
March  31,  2007.  We  also  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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3.    Other  entities  that  report  to  Minister 

We  audited  the  financial  statements  of  the  Natural  Resources  Consen  ation 
Board  for  the  year  ended  March  31.  2007. 


Our  audit  findings  and  recommendations 


Fair  value 
obtained 


1 


Systems — Elinor  Lake  land  sale 
1.1  Background 

In  1995  the  Department  entered  into  a  25  year  lease  with  Pro-Quality  Homes 
Ltd,  now  known  as  Elinor  Lake  Resort  Ltd.  (the  Resort),  which  allowed  the 
Resort  to  construct  and  operate  a  commercial  resort  on  property  at  Elinor 
Lake.  In  2003,  the  Resort  applied  to  purchase  the  property. 


1 .2  Question  asked  of  the  Auditor  General  by  the  Alberta  Public  Accounts 
Committee 

In  May  2007,  Mr.  R.  Miller,  MLA  and  member  of  the  Alberta  Public  Accounts 
Committee  asked  us:  "whether  the  taxpayers  of  Alberta  received  fair  value  for 
the  land  at  Elinor  Lake  when  it  was  sold  to  private  interests?" 

1.3  Conclusion 

The  Department  sold  land  to  the  Resort  in  accordance  with  the  Public  Lands 
Act  and  the  Dispositions  and  Fees  Regulation.  It  obtained  fair  value  which  is 
what  the  regulation  required. 

1 .4  Our  audit  findings  on  whether  fair  value  was  received 

Since  the  Regulation  required  the  purchaser  (who  held  the  land  under  a  lease) 
to  consent  to  any  other  purchaser  obtaining  the  land,  the  Department's  options 
for  this  transaction  were  limited.  The  Department  could  either  sell  the  land  to 
the  leaseholder  or  continue  with  the  lease. 


Fair  value  not 
defined  in 
regulation 


While  legislation  prescribes  that  the  sales  price  must  not  be  less  than  the  fair 
value  of  the  land,  the  term  fair  value  is  not  defined.  Accounting  standards 
define  fair  value  as  "the  amount  of  the  consideration  that  would  be  agreed 
upon  in  an  arm's  length  transaction  between  knowledgeable,  willing  parties 
who  are  under  no  compulsion  to  act".  Courts  generally  consider  this  however 
to  be  a  definition  of  fair  market  value.  Fair  value  has  been  described  by  some 
Courts  as  one  that  is  just  and  equitable  or  one  which  provides  adequate 
compensation  consistent  with  the  requirements  of  justice  and  equity. 
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The  Department's  interpretation  of  fair  value  for  this  property  was — fair 
market  value  of  the  property  as  unencumbered  vacant  land  specifically 
excluding  the  value  of  any  improvements  to  the  property  that  the  Resort  had 
made.  The  Resort  had  made  a  number  of  improvements  including  adding  some 
utilities,  erecting  buildings  and  having  the  zoning  changed  to  allow  other  uses 
including  extensive  recreation  as  permitted  uses. 

To  determine  the  purchase  price,  the  Department  hired  an  accredited  appraiser. 
He  concluded  that  the  market  value  of  the  property  excluding  improvements 
was  $942,800.  The  Department  offered  to  sell  the  property  to  the  Resort  for 
this  amount.  The  Resort  obtained  an  appraisal  from  another  accredited 
appraiser  which  indicated  the  market  value  was  $424,000.  To  resolve  this 
difference  of  opinion,  the  Department  together  with  the  Resort  hired  another 
accredited  appraiser  to  do  a  technical  review  of  the  other  two  appraisals  and 
provide  a  third  appraisal.  The  third  appraiser  concluded  that  the  market  value 
in  the  first  appraisal  was  unrealistically  high,  low  in  the  second  appraisal  and 
that  the  market  value  of  the  property  was  $524,500.  The  Department  sold  the 
235.7  acre  property  to  the  Resort  for  that  amount. 

1 .5  Criteria:  the  standards  we  used  for  our  audit  of  this  transaction 

In  forming  the  above  conclusion  we  examined  whether  the  Department  had  the 
following  processes  to  ensure  that: 

1 .  it  sells  land  in  accordance  with  the  Public  Lands  Act  and  Dispositions  and 
Fees  Regulation. 

2.  leases  and  sales  meet  the  government's  objectives 

3 .  it  has  a  process  to  review  and  approve  land  sale  agreements  before 
finalizing  sales 

4.  land  sale  agreements  clearly  outline  the  terms  and  conditions  of  sales  and 
conditions  in  land  sale  and  lease  agreements  are  met. 

1 .5.1      Land  is  sold  in  accordance  with  the  Public  Lands  Act  and  Disposition 
and  Fees  Regulation 

Our  audit  findings 

The  criterion  was  met — The  Department  obtained  a  statutory  declaration  that 
the  Resort  met  the  Canadian  ownership  requirement  specified  in  the  Public 
Lands  Act.  The  Department  met  the  fair  value  requirement  for  sales  of  land 
(see  Conclusion  page  159). 


Appraisals  used 
to  determine 
purchase  price 
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Overall  land 
strategy  still 
being  developed 


1 .5.2      Leases  and  sales  meet  the  government's  objectives 
Recommendation 

We  recommend  that  the  Department  develop  a  guideline  for  lease  and 
sale  of  land  indicating  when  and  with  whom  to  consult. 

Our  audit  findings 

The  criterion  is  partly  met.  For  the  Department  to  be  able  to  demonstrate  that  it 
has  met  government  objectives,  the  objectives  first  have  to  be  defined.  The 
government  has  not  established  an  overall  land  management  strategy  —but  is 
planning  to  develop  one  as  part  of  the  Land  Use  Framework  initiative.  Once 
developed,  the  Framework  may  also  provide  overall  guidance  on  consultation 
processes. 


Consultation 
guidelines  too 
general 


Until  the  Framework  is  completed  the  Department  manages  public  land 
according  to  broadly  defined  policies  and  regional  land  resource  plans  where 
those  exist.  The  Elinor  Lake  lease  and  sale  was  part  of  a  government  strategy 
to  increase  economic  diversification  of  a  local  economy  by  allowing  the  use  of 
public  land  for  tourism.  The  Department  also  consulted  prior  to  the  sale  with 
the  Field  Services  and  Forest  management  divisions  within  SRD. 
Infrastructure  and  Transportation,  and  Community  Development  (now  known 
as  Tourism,  Parks,  Recreation  and  Culture.)  All  entities  consulted  indicated  to 
the  Department  they  had  no  objections  to  the  sale. 

In  May  2005,  the  government  established  the  Government  of  Alberta's  First 
Nations  Consultation  Policy  on  Land  Management  and  Resource 
Development.  This  Policy  requires  the  Department  to  consult  with  First 
Nations  where  land  management  and  resource  development  on  provincial 
Crown  land  may  infringe  First  Nations'  Rights  and  traditional  uses. 

Since  the  Policy  was  introduced  after  the  Department  had  started  the  sales 
negotiation  with  the  Resort,  the  Department  did  not  consult  with  First  Nations 
or  the  Metis.  The  Department  has  since  prepared  the  Land  Management  First 
Nations  Consultation  Guidelines.  However  these  guidelines  are  general  and  do 
not  specify  such  issues  as  the  timing  of  when  the  Department  should  consult 
and  with  whom — for  example,  prior  to  a  lease  being  established  and/or  when  a 
sale  is  occurring. 

Implications  and  risks  if  recommendation  not  implemented 

Without  proper  guidance  on  consultation  processes  there  is  a  risk  that  the 
Department  could  breach  a  duty  to  consult  recognized  by  the  courts. 
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1 .5.3  Process  to  review  and  approve  land  sale  agreements  before 
finalizing  sales 

Our  audit  findings 

The  criterion  was  met.  The  offer  letter  was  signed  and  approved  by 
appropriate  individuals. 

1 .5.4  Land  sale  agreements  clearly  outline  the  terms  and  conditions  of 
sales  and  conditions  in  land  sale  and  lease  agreements  are  met 

Recommendation 

We  recommend  that  the  Department  establish  a  guideline  to  not  sell 
public  land  until  the  lessee  is  in  compliance  with  key  lease  requirements. 

Background 

The  Department  determined  that  the  Resort  was  not  in  compliance  with  a  lease 
requirement  to  maintain  a  buffer  zone  between  the  shoreline  of  the  lake  and 
their  development.  The  buffer  zone  was  a  key  requirement  of  the  lease  as  it 
was  required  for  purposes  of  ensuring  undisturbed  ecological  protection  and 
integrity  in  the  bank  of  the  lake  and  also  for  recreational  public  access. 

A  key  lease  requirement  is  any  term  that  the  Department  believes  must  be 
enforced  even  if  the  property  is  sold. 

The  Department  has  different  tools  to  get  lessees  to  comply  with  lease  terms. 
The  Minister  can  issue  a  ministerial  order  requiring  the  lessee  to  carry  out  the 
work  specified  in  the  order  and  within  the  time  specified  in  the  order.  Where 
the  lessee  has  applied  to  purchase  the  land,  the  Minister  can  also  make 
compliance  a  requirement  before  selling  land. 

Our  audit  findings 

The  Department  did  not  include  compliance  with  a  key  requirement  as  a 
condition  of  sale  in  the  offer  letter  but  instead  noted  in  the  offer  letter  that  any 
structures  in  the  buffer  zone  would  have  to  be  removed  and  the  land  reclaimed 
by  September  30,  2005.  Since  the  Department  concluded  the  Resort  did  not 
comply  with  the  requirement,  the  Department  issued  a  ministerial  order  with  a 
completion  date  of  April  16,  2007.  The  Department  issued  another  ministerial 
order  which  revised  some  of  the  previous  order's  conditions  and  extended  the 
completion  date  to  July  31,  2007.  At  the  time  of  our  audit,  the  Department 
was  in  the  process  of  inspecting  the  actions  the  Resort  had  taken  to  comply. 


Compliance  term 
not  included  as 
condition  of  sale 
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In  our  opinion,  compliance  with  this  condition  should  ha\  e  been  a  sale 
condition.  As  well,  the  purchaser  should  have  signed  the  offer  letter  to 
acknowledge  agreement  with  the  condition.  Including  compliance  as  a  sale 
condition  would  have  provided  an  incentive  for  the  Resort  to  comply  on  a 
timely  basis.  If  the  Resort  had  not  purchased  the  land  the  Minister  could  ha\  e 
still  issued  a  Ministerial  order. 

Implications  and  risks  if  recommendation  not  implemented 

In  the  absence  of  explicit  acknowledgement  of  conditions  of  sale,  the 
Department  takes  on  unnecessary  cost  in  achieving  purchaser  compliance. 

1 .6  Requests  for  proposals  to  ensure  the  province  gets  the  best  possible 
value  that  can  be  obtained  given  government  objectives 
Recommendation  No.  33 

We  recommend  that  the  Department  of  Sustainable  Resource 
Development  evaluate  whether  government  objectives  could  be  met  by 
introducing  requests  for  proposals  from  all  interested  parties  whenever 
an  entity  applies  to  put  substantial  improvements  on  public  land. 

Our  audit  findings 

The  Department  leases  public  land  typically  in  response  to  a  request  from  an 
interested  applicant.  When  an  applicant  proposes  to  put  substantial 
improvements  on  the  land,  the  Department  does  not  determine  whether  other 
individuals  or  entities  with  land  use  objectives  acceptable  to  the  government 
would  be  interested  in  leasing  or  purchasing  the  land.  Nor  has  the  Department 
developed  lease  rates  and  lease  terms  with  the  objective  of  ensuring  that  they 
are  equal  to  fair  market  rates  or  terms. 

The  Department  is  not  using  public  requests  for  proposals  for  disposition  of 
leased  land  with  substantial  improvements  because  of  the  regulatory 
requirement  that  the  lessee  must  agree  to  any  sale  and  also  because  individuals 
entering  into  a  lease  are  aware  that  the  Department's  policy  means  that  any 
sale  of  the  land  will  only  be  to  the  lessee.  In  effect,  the  lack  of  requests  for 
proposals  puts  lessees  in  a  preferential  position  with  respect  to  the  purchase  of 
land. 

Implications  and  risks  if  recommendation  not  implemented 

Introducing  competition  by  using  requests  for  proposals  is  the  key  to  ensuring 
that  all  who  are  interested  in  leasing  or  purchasing  land  get  a  chance  to 
participate  and  to  establishing  a  value  that  objectively  demonstrates  that  the 
Department  has  obtained  the  best  value  given  the  government's  objectives. 


Requests  for 
proposals  not 
used 
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2.    Systems — 2003  Contract  Audit — progress  report 
Background 

In  our  2002-2003  Annual  Report  (page  277)  we  recommended  that  the 
Department  of  Sustainable  Resource  Development  follow  the  government's 
best  practice  guidelines  for  contracted  services  and  grants  when  undertaking 
major  capital  or  long  term  lease  projects.  These  guidelines  describe  six  stages 
for  contract  management: 
Decision  to  contract 
Contract  selection  process 
Review/approval  process 
Contract  administration 
Contract  completion 
Continuous  improvement 


Additional 
guidance  needs  to 
be  provided  for 
management  of 
contracts 


Management  actions 

The  Department  has  made  progress  by  creating  a  Contracts  User  Manual.  We 
compared  the  manual  to  the  guidelines  and  found  that  the  manual  complies 
with  guidelines  except  for  the  following  processes: 

•  Decision  to  Contract — The  manual  does  not  provide  guidance  for: 

•  establishing  performance  measures  for  the  contracted  services. 

•  considering  expectations  based  on  past  experience  and  anticipation  of 
potential  changes  in  project  scope 

•  identifying  current  and  outstanding  legal  requirements 

•  Contract  Selection — The  manual  does  not  provide  a  quality  assurance 
checklist  as  guidance  for  the  contract  proposal  process. 

•  Review/ Approval — There  are  no  specific  procedures  or  reference  to 
conflict  of  interest  issues  and  checking  of  bidders'  references. 

•  Contract  Administration — There  is  no  requirement  for  independent  audits 
to  verify  that  Contract  Specialists  have  adequately  carried  out  their 
responsibilities. 

•  Contract  Completion — There  is  no  requirement  to  have  all  the  documents 
date  stamped  and  checked  for  proper  completion. 


In  establishing  the  progress  made,  we  noted  the  following  additional  matters 
that  will  require  attention  before  we  can  conclude  that  our  recommendation 
has  been  implemented: 

•  Business  case  supporting  decision  to  contract —  the  manual  should 
provide  guidance  on  the  nature  and  size  of  contracts  where  business  cases 
should  include  an  evaluation  of  alternative  strategies. 

•  Management  and  Administration  of  Contracts — reinforcement  of  the  need 
to  document  any  conflict  of  interest  and  its  management;  and  improved 
control  to  ensure  that  insurance  requirements  are  kept  up-to-date 
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•     Contract  completion  and  sign-off — the  manual  should  provide  guidance 
on  the  nature  and  size  of  contracts  where  an  evaluation  of  the  contract 
should  be  performed. 

3.    Systems —  Project  management 
Recommendation 

We  recommend  that  the  Department  show  clearly  throughout  a  project 
that  repeated  contracting  with  the  same  contractor  is  a  cost  effective  \\a\ 
to  achieve  that  project's  desired  outcome. 

Background 

Beginning  in  October  2003  and  continuing  until  March  2006.  the  Department 
entered  into  a  series  of  1 1  contracts,  totaling  $769,743.  with  the  expectation  of 
developing  a  graphic  information  management  strategy.  All  1 1  contracts  were 
sole  sourced  to  the  same  consultant. 


Department 
entered  into  1 1 
contracts  with  the 
same  consultant 


Criteria:  the  standards  we  used  for  our  audit  of  this  transaction 

Best  practice  guidelines  created  for  the  Senior  Financial  Officers'  Council 
provide  guidance  for  project  mangers  to:  establish  preliminary  budget 
estimates  and  key  assumptions,  assess  project  alternatives,  define  monitoring 
requirements  and  conduct  evaluations.  The  goal  is  to  ensure  value  for  money. 


No  evidence 
other  contractors 
were  considered 


Our  audit  findings 

We  examined  the  expectations  and  what  was  delivered  for  each  of  the 
1 1  contracts.  In  summary: 

We  could  not  find  evidence  of  the  need  for  an  outside  contractor  to  undertake 
the  strategy  development  in  the  first  place  or  evidence  that  other  contractors 
were  considered  for  any  part  of  the  development  once  it  was  underway. 

Three  of  the  contracts  delivered  outlines  and  clear  recommendations  for 
further  development  of  the  strategy.  At  these  project  milestones,  we  expected 
the  Department  to  evaluate  the  proposed  recommendations,  the  performance 
of  the  contractor  and  deliverables  to  date,  establish  a  budget  for  implementing 
the  recommendations  and  consider  alternatives.  We  did  not  find  evidence  that 
these  activities  took  place. 

We  found  no  budgets  for  this  strategy  development  project,  other  than  those 
presented  by  the  contractor.  On  four  of  the  contracts,  the  original  amounts 
were  increased  through  amendments  totaling  $142,000. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  periodic  evaluation  of  the  interim  and  final  output  of  a  project 
executed  through  a  series  of  contracts  with  the  same  contractor,  the 
Department  has  no  evidence  that  it  is  obtaining  a  desired  outcome  cost 
effectively. 

4.   Systems — Confined  feeding  operations 
Summary 

The  Natural  Resources  Conservation  Board  assumed  responsibility  for 
administering  the  Agricultural  Operation  Practices  Act  (AOPA)  effective 
January  1,  2002.  AOPA's  purpose  is  to  ensure  that  the  Alberta's  confined 
feeding  operations  (CFOs)  grow  to  meet  the  opportunities  presented  by  local 
and  world  markets — in  an  environmentally  sustainable  way. 

The  Board  regulates  pre-AOPA  and  post-AOPA  CFOs.  Unless  the  Board 
issues  an  enforcement  order  or  amends  the  terms  of  the  permit,  pre-AOPA 
CFOs  follow  permits  that  were  originally  approved  by  municipalities. 
Post-AOPA  CFOs  are  newer  facilities  that  have  permits  approved  by  the 
Board  and  must  conform  to  all  applicable  AOPA  regulations  and 
requirements. 

We  recommended  in  our  2003-2004  Annual  Report  (No.  28 — page  294)  that 
the  Board: 

•  proactively  manage  odour  and  nuisance  complaints 

•  prepare  operational  plans  at  the  divisional  level  that  integrate  with  the 
annual  business  plan  and  budget 

•  rank  its  compliance  and  enforcement  activities  based  on  risk 

We  found  in  2007  that  the  Board  has  made  progress  in  managing  nuisance  and 
odour  complaints,  and  has  implemented  our  recommendation  to  integrate 
operational  plans  with  its  business  plan. 


assessment  approach  to  regulating  CFOs. 

Our  2004  report  did  not  indicate  the  steps  involved  in  performing  this  type  of 
approach.  To  better  illustrate  the  process  the  Board  needs  to  adopt,  we  have 
included  the  steps  required  in  this  report  and  compared  them  against  the 
actions  the  Board  previously  took. 


Risk  analysis 

recommendation 

repeated 


We  have  repeated  the  risk  analysis  part  of  our  2004  recommendation  to 
encourage  the  Board  to  reconsider  the  merits  of  using  a  comprehensive  risk 
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4.1  Rank  compliance  and  enforcement  activities  based  on  risk — 
recommendation  repeated 

We  have  repeated  this  recommendation  to  provide  explicitly  the  steps 
necessary  for  a  systematic  assessment  of  the  risks  posed  by  CFOs. 


Recommendation  No.  34 

We  again  recommend  that  the  Natural  Resources  Conservation  Board 

rank  its  compliance  and  enforcement  activities  based  on  risk.  To  do  so, 

the  Board  must: 

•     define  through  research  the  environmental  risks  applicable  to  CFOs 

and  their  impact 

•     categorize  CFOs  by  priority  levels  of  environmental  risk  at  different 

locations 

•     conduct  appropriate  sampling  and  testing  to  confirm  the  validity  of 

assigned  risk  levels 

•     select  and  deliver  appropriate  compliance  and  enforcement  action 

Criteria:  the  standards  we  used  for  our  audit 

Our  two  criteria  and  the  steps  involved  in  achieving  the  criteria  are  expressed 
separately  in  the  findings  section  below. 


Our  audit  findings 

First  criterion — the  Board  should  have  a  process  to  focus  compliance 
activities  on  the  most  significant  areas  in  its  jurisdiction.  To  do  this  the  Board 
should: 

•  identify  risk  criteria. 

•  use  the  criteria  to  rank  all  known  CFOs  and  identify  those  in  higher  risk 
locations. 

•  assess  samples  of  CFOs  in  higher-risk  locations  and  conduct 
comprehensive  assessments  to  confirm  if  the  selected  risk  criteria  are 
valid  and  the  risks  are  actually  present. 

•  conclude  on  the  prevalence  and  impact  of  risks. 

Identify  risk  criteria — the  Board  prepared  a  site  observation  form  as  a  tool  to 
help  it  assess  and  document  environmental  risks  associated  with  CFOs. 
However,  this  form  alone  does  not  identify  the  full  spectrum  of  potential 
environmental  risks  and  mainly  covers  air  pollution  and  surface  contamination 
risks.  For  a  complete  picture  of  risk,  the  Board  needs  other  information — from 
monitoring  reports,  and  the  analysis  of  geological  and  hydrogeological 
conditions  in  the  area. 


Risk 

identification 
incomplete 
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Criteria  need  to 
be  identified  to 
do  risk  ranking 


No  standard 
guideline  for 
completing 
inspection  form 


We  expected  the  Board  to  identify  the  major  risks  and  evaluate  CFOs  in  each 
risk  category.  This  process  would  then  let  the  Board  set  inspection  frequency 
targets  and  select  compliance  actions  based  on  types  and  levels  of  risk 
associated  with  each  CFO. 

Use  criteria  to  rank  CFOs  and  identify  those  in  higher  risk  locations — the 

Board  did  not  rank  CFOs  or  have  a  defined  sampling  procedure  because 
originally  it  had  decided  to  inspect  all  1,700  pre-AOPA  CFOs  over  5  years. 
The  Board  needs  to  do  research  to  identify  the  criteria  necessary  to  do  the  risk 
ranking. 

Assess  samples  of  CFOs  in  higher  risk  locations  and  conduct 
comprehensive  assessments  to  confirm  if  the  selected  risk  criteria  are 
valid  and  the  risks  are  actually  present — the  Board  inspected 
308  pre-AOPA  CFOs.  However  the  Board  did  not  intend  for  these  inspections 
to  be  part  of  a  comprehensive  risk  assessment  and  therefore  did  not  ensure  that 
the  inspections  were  completed  consistently  or  covered  all  relevant  risks. 

Our  discussions  with  management  and  inspectors  indicated  that  there  is  no 
standard  guideline  for  completing  the  inspection  form.  Inspectors  did  not  have 
standard  training,  guidelines,  or  the  scientific  data  needed  for  taking 
well-informed  standardized  action  based  on  the  assessed  risk  level.  For 
example,  the  site  observation  form  refers  to  a  more  detailed  checklist  to  use 
when  a  risk  factor  is  present — but  this  checklist  is  not  yet  developed. 

Additionally,  the  risk  assessments  were  insufficient  to  detect  all  environmental 
risks  associated  with  pre-AOPA  CFOs  because  they  were  based  only  on  visual 
observation  and  not  other  forms  of  assessment. 


Reports  lacked 
key  information 
for  assessing 
seriousness  of 
contraventions 


Conclude  on  prevalence  and  impact  of  risks — we  examined  inspection 
reports  for  30  out  of  the  308  facilities.  The  inspectors  found  contraventions  at 
8  of  the  facilities  included  in  our  sample.  The  Board  required  remediation  on  6 
of  15  of  the  contraventions  noted  at  these  facilities.  The  Board  advised  us  that 
while  the  inspections  were  being  performed,  it  was  still  in  the  process  of 
defining  what  constituted  a  serious  contravention.  We  found  that  the 
documentation  included  in  the  inspection  reports  often  lacked  key  information 
necessary  for  assessing  the  seriousness  of  contraventions.  In  the  absence  of  a 
predetermined  uniform  classification  terminology  and  documentation  for 
assessing  the  seriousness  of  an  inspection  result,  we  were  unable  to 
substantiate  the  Board's  conclusion  about  prevalence  and  impact  of  risks 
associated  with  these  facilities. 
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No  plan  in  place 
for  analyzing  risk 
assessment  data 


Monitoring  can 
be  improved 


Second  criterion — the  Board  should  have  sufficient  information  to  decide 
whether  to  take  additional  compliance  action. 

We  were  unable  to  find  a  clear  and  detailed  plan  for  processing,  analyzing  and 
acting  on  the  gathered  risk  assessment  data.  For  a  risk  assessment  tool  to 
achieve  its  objectives  at  the  program  level,  the  Board  needs  to  process,  analyze 
and  report  information  across  the  jurisdiction.  The  Board's  current  way  of 
processing  and  storing  information  makes  such  overall  analysis  inefficient  and 
time  consuming. 

We  also  reviewed  the  Board's  systems  for  processing  and  managing 
information  collected  via  monitoring  reports.  Both  the  design  and 
implementation  of  the  monitoring  system  can  be  improved.  The  groundw  ater 
monitoring  database  currently  documents  monitoring  reports  from  148 
facilities  out  of  a  total  of  291  operations  with  monitoring  requirements.  Out  of 
approximately  1 12  prc-AOPA  municipally  approved  CFOs  required  to  install 
a  groundwater  leak  detection  system,  only  63  hat!  specific  groundwater 
monitoring  conditions  (testing  parameters,  sampling  frequency,  etc.).  As  of 
January  2006,  out  of  the  63  operations  with  groundwater  monitoring 
conditions,  only  19  operations  have  been  submitting  monitoring  reports.  We 
have  not  seen  an  effective  mechanism  for  identi tying  and  pursuing  such 
contraventions  promptly. 

Implications  and  risks  if  recommendation  not  implemented 

The  Board  cannot  demonstrate  that  it  uses  its  resources  effectively  to  manage 
the  risk  of  environmental  harm. 


New  odour  report 
form  developed 


4.2  Proactively  manage  odour  and  nuisance  complaints — progress  report 
Background 

In  2004,  we  recommended  that  the  Board  proactively  manage  odour  and 
nuisance  complaints. 

Management  actions 

The  Board  has  made  progress  implementing  this  recommendation  by  creating 
an  Odour  Complaint  Form.  The  type  and  the  amount  of  data  that  the  form  is 
designed  to  collect  will  enable  the  Board  to  focus  its  odour  complaint 
activities  in  areas  of  highest  impact.  Because  the  implementation  of  this  form 
has  started  only  recently,  we  were  not  able  to  assess  its  impact  on  the 
efficiency  and  resource  requirements  of  the  Board's  response  to  odour 
complaints. 
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4.3  Prepare  operational  plans  at  divisional  level — implemented 
Background 

Recommendation  in  2004,  we  recommended  that  the  Board  prepare  operational  plans  at  the 
implemented  divisional  level.  These  operational  plans  should  integrate  with  the  annual 

business  plan  and  budget. 


Our  audit  findings 

The  Board  has  implemented  our  recommendation.  Its  operational  plans 
integrate  with  the  annual  business  plan  and  budget. 

5.  Performance  reporting 

We  issued  unqualified  auditor's  reports  on  the  financial  statements  of  the 
Ministry,  the  Department  and  the  Environmental  Protection  and  Enhancement 
Fund.  We  found  one  exception  when  we  completed  specified  auditing 
procedures  on  the  Ministry's  performance  measures — the  Ministry  did  not 
provide  data  for  the  Forest  Sustainability  (Reforestation  rate  in  harvested 
areas)  performance  measure. 

6.  Other  entities  that  report  to  the  Minister 

6.1  Performance  reporting — Natural  Resources  Conservation  Board 

We  issued  an  unqualified  auditor's  opinion  on  the  financial  statements  of  the 
Natural  Resources  Conservation  Board  for  the  year  ended  March  31,  2007. 
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Tourism,  Parks,  Recreation  and 
Culture 

Summary:  what  we  found  in  our  audits 

Systems 

The  Ministry  needs  to  update  its  computer  services  agreement — see  page  1 72. 
Performance  reporting 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department  and 
seven  provincial  agencies  are  unqualified.  We  found  no  exceptions  when  we 
completed  specified  auditing  procedures  on  the  Ministry's  performance  measures. 


Overview  of  the  Ministry 

Ministry  entities     jfoQ  Ministry  consists  of  the  Department  and  seven  provincial  agencies. 


Four  core 
businesses 


The  Ministry  was  established  on  December  13,  2006  and  is  responsible  for: 

•  managing  Alberta's  provincial  parks  and  protected  areas  and  promoting 
recreation  and  sport  opportunities 

•  facilitating  tourism  marketing,  development  and  film  investment 

•  promoting  Alberta's  rich  culture,  including  its  arts  and  heritage 

•  protecting  human  rights,  promoting  diversity,  fairness  and  access,  and 
supporting  the  inclusion  of  all  Albertans 


Ministry  received  The  Ministry  received  $30  million  from  sources  external  to  government  in 
$30  million  2006-2007. 


Ministry  spent 
$452  million 


Website 


In  2006-2007,  the  Ministry  spent  $452  million,  primarily  as  follows: 

(millions  of  dollars) 

Lottery  funded  programs  $  202 

Culture  and  heritage  1 1 0 
Parks,  recreation  and  sport 

Tourism  48 

Human  rights  and  citizenship  6 

For  more  information  on  the  Ministry,  visit  its  website  at  www.tprc.alberta.ca. 
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Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  followed  up  on  the  Ministry's  progress  implementing  our  previous 
recommendations  on: 

•  improving  management  systems  in  provincially-owned  parks 

•  improving  processes  for  the  grant  programs  previously  administered  by  the 
Department  of  Gaming 

2.  Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry,  Department,  and  the 
following  seven  provincial  agencies  for  the  year  ended  March  31,  2007: 

•  Alberta  Foundation  for  the  Arts 

•  Alberta  Sport,  Recreation,  Parks  and  Wildlife  Foundation 

•  Human  Rights,  Citizenship  and  Multiculturalism  Education  Fund 

•  The  Alberta  Historical  Resources  Foundation 

•  The  Government  House  Foundation 

•  The  Historic  Resources  Fund 

•  The  Wild  Rose  Foundation 

We  completed  specified  auditing  procedures  on  the  performance  measures  in 
the  Ministry's  2006-2007  annual  report. 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Computer  control  environment 
Recommendation 

We  recommend  that  the  Ministry  of  Tourism,  Parks,  Recreation  and 
Culture  work  with  Service  Alberta  to: 

•  document  the  services  that  Service  Alberta  is  to  provide  and  its 
control  environment  for  information  technology 

•  implement  a  process  to  ensure  that  Service  Alberta  consistently  meets 
service  level  and  security  requirements 

•  provide  evidence  that  control  activities  maintained  by  Service  Alberta 
are  operating  effectively 


Ministry  relies 
on  outsourced 
computer 
environment 


Background 

The  Ministry  relies  on  its  computing  environment  to  provide  complete, 
accurate,  and  valid  data  for  its  daily  business.  It  has  outsourced  many  of  its 
information  technology  (IT)  infrastructure  and  operations  to  Service  Alberta. 
Outsourcing  can  be  an  efficient  and  effective  way  to  provide  IT  services  to  an 
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operation.  However,  organizations  that  outsource  all  or  part  of  their  IT 
infrastructure  or  operations  are  still  responsible  to  meet  service  levels  and  for 
appropriate  controls  over  the  confidentiality,  integrity,  and  availability  of  all 
their  information. 


No  current 
agreement  for 
computer 
services 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should: 

•  have  a  contract  with  Service  Alberta  that  outlines  the  levels  of  service  that 
Service  Alberta  will  provide.  The  contract  is  known  as  a  Sen  ice  Level 
Agreement  (SLA). 

•  have  effective  documented  control  processes  in  place  to  ensure  that 
Service  Alberta  consistently  meets  the  SLA  and  that  all  Ministry 
information  remains  secure  and  available  when  required. 

•  ensure  that  control  processes  are  properly  designed  and  implemented  by 
either  Service  Alberta  or  the  Ministry,  and  that  there  is  adequate  e\  idence 
of  their  operating  effectiveness. 

Our  audit  findings 

The  Ministry  and  Sen  ice  Alberta  currently  do  not  have  an  SLA.  They  had  an 
agreement,  but  it  ended  on  March  31.  2005. 

Also,  although  Service  Alberta  is  responsible  for  providing  services  to  the 
Ministry,  there  is  no  evidence  of  controls  in  place  to  ensure  that  it  is  delivering 
these  services  as  required.  For  example: 

•  neither  the  optional  security  operations  review  and  report 
recommendations,  nor  an  independent  third-party  review  of  network 
security  exists. 

•  there  was  no  evidence  that  the  process  for  requesting  user  access,  and 
properly  documenting  the  request  and  the  granting  of  access  was 
consistently  followed. 

•  the  same  person  developed  and  tested  changes  to  the  Grant  Management 
Information  System  and  then  moved  them  to  production  during  the  year. 
However,  the  Ministry  implemented  a  new  procedure  in  March  2007  to 
prevent  this  lack  of  segregation  of  duties  from  recurring. 

•  the  Ministry  has  not  tested  its  disaster  recovery  plan. 

•  no  formal  control  process  exists  to  test  the  Ministry's  data  backups  or 
ensure  that  they  can  be  used  to  restore  data. 

Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  is  ultimately  responsible  for  the  confidentiality,  integrity,  and 
availability  of  its  information — even  if: 

1 .    it  has  outsourced  some  or  all  of  its  IT  control  environment,  and 
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2.  controls  that  protects  its  information  are — even  partly — physically  and 
operationally  removed  from  its  direct  oversight. 

The  outsourced  environment  is  an  integral  part  of  the  Ministry's  IT  control 
environment.  Without  procedures  to  ensure  that  service  providers  maintain 
sound  control  environments,  the  Ministry  cannot  depend  on  the  confidentiality, 
integrity  or  availability  of  its  important  business,  financial  or  other  sensitive 
information. 

1 .2  Management  of  parks  and  protected  areas — implemented 
Background 

In  our  2002-2003  Annual  Report  (page  81),  we  recommended  that  the  Ministry 
improve  its  system  for  selecting  private  operators  to  run  provincially-owned 
parks  and  for  monitoring  contract  performance. 

Our  audit  findings 

The  Ministry  has  implemented  the  recommendation.  It  put  guidelines  in  place 
and  applies  them  to  requests  for  proposals  and  open  competitions.  It  also  uses 
them  in  selecting  operators  based  on  the  quality  of  the  proposals.  Ministry 
staff  have  developed  checklists  and  use  them  to  improve  their  monitoring  of 
contractor  performance. 

1 .3  Grants  management — progress  report 
Background 

In  2004-2005,  we  examined  the  Department  of  Gaming  grants  management 
systems.  In  our  2004-2005  Annual  Report  (pages  203  and  205)  we 
recommended  that  the  Department: 

•  ensure  published  information  on  grant  programs  available  is  complete, 
develop  guidelines  for  assessing  Other  Initiatives  Program  grants,  and 
improve  the  timeliness  of  its  grant  monitoring. 

We  followed  up  on  the  status  of  the  recommendations  at  the  Department  of 
Tourism,  Parks,  Recreation  and  Culture  (Department)  because  it  took  over  the 
Department  of  Gaming 's  grant  programs  in  a  December  2006  government 
reorganization. 

Management  actions 

Ensure  published  information  for  CFEP  and  Other  Initiatives  grant 
programs  is  complete  and  establish  guidelines  for  the  Other  Initiatives 
program — the  Department  implemented  the  recommendation  for  the 
Community  Facility  Enhancement  (CFEP)  program.  The  Department  updated 
the  published  information  to  disclose  the  form  and  size  of  grants  available, 
specifically  the  availability  of  grants  in  excess  of  $125,000. 


Recommendation 
implemented 


CFEP  published 

information 

complete 
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Plan  to  publish 
information  for 
Other  Initiatives 
program 


Steps  to  improve 

monitoring 

processes 


Focus  on  file 
reviews — 
backlog  reduced 


Questions  raised 
on  unmatched 
CIP  grants 


The  Other  Initiatives  program's  purpose  is  to  fund  projects  that  do  not  fall 
within  the  parameters  of  other  government  programs.  The  Department  is  in  the 
process  of  developing  information  to  publish  for  the  Other  Initiatives  program. 
The  information  will  cover  existence,  nature  and  purposes.  The  Department 
has  an  established  process  to  assess  Other  Initiatives  grant  applications  against 
the  program  objectives  and  enforce  accountability  of  grant  recipients  for  use  of 
funds  through  grant  agreements. 

Improve  the  timeliness  of  grant  monitoring — the  Department  has  made 
progress  implementing  this  recommendation.  In  June  2006,  the  Department 
started  a  one-year  initiative  to  improve  the  timeliness  of  receiving  and 
reviewing  financial  accounting  statements  from  grant  recipients.  The 
Department  hired  additional  staff  that  used  monthly  reminders  and  phone  calls 
to  follow  up  on  outstanding  documents  with  grant  recipients.  Management  also 
created  a  new  report  to  track  and  monitor  the  status  of  approved  applications. 

Since  the  one-year  program  started,  the  Department  made  progress  in  reducing 
the  backlog  of  files  awaiting  documentation  and  financial  statement  reviews. 
Over  3,125  files  were  closed.  At  the  end  of  April  2007,  less  than  4%  (587  of 
14,960)  of  grants  recipients  had  not  filed  financial  accounting  statements  by 
the  Department's  due  date.  To  be  effective,  the  Department  must  apply  the 
resources  necessary  to  ensure  the  catch-up  effort  is  sustained  permanently. 

To  finish  implementing  this  recommendation,  the  Department  needs  to 
establish  an  ongoing  process  for  ensuring  that  grant  funds  have  been  used  as 
intended  through  prompt  receipt  and  review  of  grant  recipient  financial 
statements.  The  process  must  ensure  prompt  review  of  the  financial  statements 
from  all  grant  recipients — not  just  those  applying  for  new  grants. 

1.4  Community  Initiative  program  (CIP)— unmatched  grants  in  excess 
of  $10,000 
Background 

On  May  15,  2007,  the  Minster  of  Tourism,  Parks,  Recreation  and  Culture 
presented  to  the  Legislative  Assembly  copies  of  the  2004  CIP  guidelines, 
which  were  not  previously  posted  on  the  Department's  website,  and  a  list  of 
unmatched  CIP  grants  over  $10,000  for  a  three-year  period.  This  responded  to 
questions  Members  raised  on  the  nature  of  unmatched  CIP  grants  in  excess  of 
$10,000  and  on  whether  the  Minister  had  the  discretion  to  make  the  grants. 
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Grants  met  CIP 

program 

guidelines 


Our  audit  findings 

We  examined  the  information  on  unmatched  grants  in  excess  of  $10,000 
covering  a  three-year  period.  We  tested  a  sample  of  these  grants  and 
reconfirmed  our  previous  audit  conclusion  that  the  systems  to  ensure  that  CIP 
grants  comply  with  program  guidelines  were  operating  as  designed.  The 
unmatched  grants  in  excess  of  $10,000  were  made  under  the  Minister's 
authority  to  use  discretion  under  section  9.1  of  the  CIP  Program  Guidelines. 


Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on 
the  Ministry's  performance  measures. 


176 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 — Audits  and  recommendations 


Treasury  Board 


Treasury  Board 

Summary:  what  we  found  in  our  audits 

Systems 

Assessing  and  prioritizing  Alberta's  infrastructure  needs — -see  Volume  1 . 
page  29. 

Government  Credit  Cards — see  Volume  1,  page  172. 

The  Ministry  should  provide  guidance  to  departments  to  ensure  consistent 
accounting  treatment  of  grants  throughout  government — see  page  178. 

Performance  reporting 

Our  auditor's  report  on  the  Ministry  of  Treasury  Board  financial  statements  is 
unqualified.  Because  the  Ministry  did  not  have  any  performance  measures,  we 
did  not  complete  any  specified  auditing  procedures. 


Overview  of  the  Ministry 

Five  core  businesses    The  Ministry  of  Treasury  Board's  2007-2010  business  plan  identifies  five  core 
businesses: 

•  Spending  management  and  planning 

•  Strategic  capital  planning 

•  Accountability  in  government 

•  Corporate  internal  audit  services 

•  Oil  sands  sustainable  development  secretariat 

Spent  $8  million        \n  2006-2007,  the  Ministry  spent  approximately  $8  million.  It  did  not  have  any 
revenues. 

For  more  information  on  the  Ministry  and  its  programs,  visit  its  website  at 
www.treasuryboard.gov.ab.ca. 


Scope:  what  we  did  in  our  audits 

1 .  Systems 

We  examined  whether  departments  are  applying  the  government's 
accounting  policy  for  grants  consistently. 

We  followed  up  on  our  previous  year's  recommendation  on  Supplementary 
Retirement  Plans. 
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Performance  reporting 

We  audited  the  financial  statements  of  the  Ministry  for  the  year  ended 
March  31,  2007. 


Government's 
accounting  policy 
for  grants 


Clarifies  eligibility 
criteria 


Conditions  for  large 
capital  construction 
projects 


Our  audit  findings  and  recommendations 

1 .  Systems 

1.1  Inconsistent  budgeting  and  accounting  for  grants 
Recommendation 

We  recommend  that  the  Ministry  of  Treasury  Board,  working  with 
other  departments,  provide  guidance  to  ensure  consistent  accounting 
treatment  of  grants  throughout  government. 

Background 

The  Canadian  Institute  of  Chartered  Accountant's  Public  Sector 
Accounting  Handbook,  section  3410,  states  that  grants  should  be 
recognized  as  liabilities  or  expenses  in  the  financial  statements  in  the  period 
that  the  events  giving  rise  to  the  grant  occurred,  as  long  as: 

•  the  grant  is  authorized; 

•  eligibility  criteria,  if  any,  have  been  met  by  the  recipient;  and 

•  a  reasonable  estimate  of  the  amount  can  be  made. 

In  the  Province  of  Alberta's  consolidated  financial  statements,  the 
government's  accounting  policy  for  grants  is  described  as  follows:  "grants 
are  recognized  as  expenses  when  authorized,  eligibility  criteria,  if  any,  are 
met,  and  a  reasonable  estimate  of  the  amounts  can  be  made."  In  the  fiscal 
year  ending  March  3 1 ,  2007,  the  total  amount  of  grants  expensed  in  the 
province's  consolidated  financial  statements  was  more  than  $22  billion. 

Recently,  the  Public  Sector  Accounting  Board  issued  draft  guidance  on 
government  transfers.  The  guidance  clarifies  the  definition  of  eligibility 
criteria  when  assessing  if  a  liability  exists,  so  it  will  likely  affect  accounting 
for  grants  in  the  future.  The  Board  is  working  to  improve  consistency 
across  Canada  of  accounting  for  grants. 

When  departments  sign  agreements  to  pay  grants,  the  agreements  typically 
include  conditions  specifying  what  the  recipient  must  do  to  receive  the 
funding.  The  conditions  in  the  agreements  are  typically  based  on  a 
percentage  of  completion  and  require  submissions  of  documentation 
showing  approvals,  work  progress,  certificates,  and  compliance  with  laws. 
For  large  capital  construction  projects,  the  departments  pay  the  funds  over 
several  years,  usually  as  the  project  is  built  and  as  the  recipient  meets 
conditions. 
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Treatment  should  be 
consistent 


Treatment  not 
consistent  across 
government 


Record  liability 
when  recipient 
meets  conditions 


Record  liability 
when  agreement 
signed 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  of  Treasury  Board  should  provide  guidance  to  all  departments 
to  ensure  they  budget  and  account  for  grants  in  accordance  with  the 
relevant  accounting  standards  and  the  Government  of  Alberta  policy,  which 
will  ensure  consistent  accounting  treatment  of  grants  throughout 
government. 

Our  audit  findings 

Grant  liabilities  and  expenses  are  not  consistently  budgeted  or  accounted 
for  across  government.  Departments  treat  grants  differently    even  though 
they  have  similar  characteristics  and  agreements.  The  problem  is  when  the 
departments  recognize  liabilities  and  the  basis  they  use  to  record  these 
liabilities.  Departments  record  a  liability  and  an  expense  at  the  following 
various  times: 

•  when  the  recipient  meets  conditions  of  the  grant  agreement. 

•  when  the  grant  agreement  is  signed, 

•  when  the  project  has  been  approved,  or 

•  when  the  Minister  has  approved  the  grant. 

Examples  of  recording  inconsistencies  are  below: 
As  grant  conditions  met — the  departments  of  Infrastructure  and 
Transportation,  Education,  and  some  program  areas  in  Advanced  Education 
and  Technology,  Agriculture  and  Food,  and  Health  and  Wellness  record 
grant  liabilities  and  expenses  for  capital  construction  in  their  financial 
statements  in  the  same  period  they  pay  the  funds — as  recipients  meet 
conditions  of  grant  agreements. 

When  the  Minister  approves  a  project,  the  department  notifies  the  recipient 
and  the  two  parties  sign  an  agreement.  Then,  these  departments  show  a 
commitment  in  their  financial  statements,  but  they  do  not  record  the 
liability  and  expense  until  the  recipient  has  met  the  grant  conditions.  This  is 
consistent  with  how  they  budget  the  expenses.  Budgets  are  based  on  the 
departments'  expectation  of  a  project's  stage  of  completion  when  they 
prepare  the  budget. 

When  grant  agreement  signed — the  departments  of  Energy,  Children's 
Services,  and  some  program  areas  in  Tourism,  Parks,  Recreation  and 
Culture,  Agriculture  and  Food,  and  Advanced  Education  and  Technology 
budget  and  record  the  liability  and  expense  when  the  grant  agreements  are 
signed,  but  they  don't  pay  the  grant  until  the  recipient  meets  the  grant 
conditions. 
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when  project 
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when  Minister 
approves 


Timing  of  recording 
is  different 


Different 
interpretations  of 
eligibility  criteria 


When  project  approved — the  departments  of  Municipal  Affairs  and 
Housing  and  Seniors  and  Community  Supports  budget  and  record  the 
liability  and  expense  when  they  notify  the  recipient  of  grant  approval  for  a 
capital  construction  project,  but  they  don't  pay  the  grant  until  the  recipient 
meets  the  grant  conditions. 

When  Minister  approves  grant — some  program  areas  in  the  departments 
of  Tourism,  Parks,  Recreation  and  Culture,  and  Health  and  Wellness  budget 
and  record  the  liability  and  expense  when  the  Minister  has  approved  the 
grants,  but  they  don't  pay  the  grant  until  the  recipient  meets  the  grant 
conditions. 

In  all  these  examples,  the  grant  agreements  have  conditions,  but  the 
departments  budget  for  the  grants  and  record  them  as  liabilities  and 
expenses  at  different  times.  These  examples  are  not  comprehensive, 
because  we  did  not  look  at  all  grants  in  all  programs.  But  there  is  enough 
evidence  to  conclude  that  departments  are  budgeting  and  accounting  for 
grants  inconsistently. 

Neither  the  existing  Public  Sector  Accounting  Handbook,  nor  the 
Government  of  Alberta  policy  clearly  identifies  what  "eligibility  criteria" 
need  to  be  met  to  record  grants.  In  the  first  case  above,  departments  used 
the  conditions  in  the  grant  agreements  as  "eligibility  criteria".  In  the  other 
cases,  departments  used  project  approval  as  the  eligibility  criteria.  For 
them,  conditions  in  the  agreement  relate  more  to  the  flow  of  funds  and 
accountability  for  grants,  but  not  eligibility  criteria.  The  Ministry  of 
Treasury  Board  has  not  provided  guidance  to  departments  on  eligibility 
criteria. 


The  current  accounting  treatments  may  be  appropriate  given  the  lack  of 
clarity  in  the  existing  standard,  past  practices,  and  the  fact  that  departments 
are  consistently  applying  their  own  practices  across  similar  programs. 
However,  inconsistencies  exist  in  budgeting  and  accounting  for  grants 
across  the  government.  That  treatment  should  be  consistent  and  match  the 
Government  of  Alberta's  policy.  If  the  Public  Sector  Accounting  Board 
approves  the  new  guidance  on  transfers,  some  current  practices  may  not 
comply  with  the  accounting  standards. 

Implications  and  risks  if  recommendation  not  implemented 

Without  consistent  budgeting  and  accounting  practices,  grants  are  budgeted 
for  and  expensed  in  one  year  but  paid  out  over  several  years.  So,  funds  are 
being  appropriated  prematurely,  and  the  government  could  use  them  for 
other  purposes. 
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1.2  Supplementary  Retirement  Plans  (SRPs) — implemented 
Background 

In  our  2005-2006  Annual  Report  (Volume  2,  No.  30b — page  97),  we 
recommended  that  the  Ministry  of  Treasury  Board  review  the  Treasury 
Board  Directives  to  ensure  that  the  amount  disclosed  as  the  total 
compensation  of  each  senior  executive  includes  Supplementary  Retirement 
Plan  benefits  earned  in  the  year. 

Our  audit  findings 

The  Ministry  of  Treasury  Board  drafted  an  amendment  to  the  Salary  and 
Benefits  Disclosure  Directive,  which  requires  clear  and  complete  disclosure 
of  annual  and  cumulative  SRP  benefits  that  senior  executives  earn.  The 
Treasury  Board  approved  this  amendment  on  June  13,  2007.  Total 
compensation  for  each  senior  executive,  disclosed  in  financial  statements, 
now  includes  all  benefits  earned  during  the  year,  and  the  cumulative 
liability  to  each  senior  executive  is  also  disclosed. 

2.    Performance  reporting 

Unqualified  opinion  Our  auditor's  report  on  the  Ministry's  March  3 1 ,  2007  financial  statements 

is  unqualified. 


Clear  and  complete 
disclosure 
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Offices  of  the  Legislative  Assembly 

Summary:  what  we  found  in  our  audits 

Systems 

The  Members'  Services  Committee  should  clarify  policies  and  guidelines  governing 
purchases  of  gifts  by  Members,  and  payments  of  bonuses  to  constituency  employees 
by  Members. 

Performance  reporting 

Financial  statements 

We  audited  the  financial  statements  of  all  the  Offices  of  the  Legislative  Assembly, 
except  our  own.  A  private  sector  firm  of  chartered  accountants  appointed  by  the 
Standing  Committee  on  Legislative  Offices  audited  our  financial  statements. 

Our  auditor's  reports  for  all  Offices'  financial  statements  contained  unqualified  audit 
opinions  for  the  year  ended  March  3 1 ,  2007. 


Unqualified 
auditor's  reports 


Overview  of  the  Offices  of  the  Legislative  Assembly 

6  Offices  of  the       There  are  six  Offices  of  the  Legislative  Assembly.  They,  and  their  expenses,  are: 

Legislative 

Assembly 

(millions  of  dollars) 


Legislative  Assembly  Office  $41.6 

Office  of  the  Auditor  General  1 8.6 

Office  of  the  Information  and  Privacy  Commissioner  4.5 

Office  of  the  Ombudsman  2.3 

Office  of  the  Chief  Electoral  Officer  1 .9 

Office  of  the  Ethics  Commissioner  0.4 


For  more  detail  on  the  Legislative  Assembly  Office,  visit  its  website  at 
www.assembly.ab.ca.  This  website  also  contains  links  to  the  other  five  Offices  of  the 
Legislative  Assembly. 
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Our  audit  findings  and  recommendations 

1 .   Legislative  Assembly  Office — payments  to  Members 
1.1  Summary 

We  examined  systems  that  the  Legislative  Assembly  Office  (Office)  uses  to 
support  Members  of  the  Legislative  Assembly  (Members)  in  their  role  as  elected 
representatives,  including  constituency  office  support,  Members'  pay, 
allowances,  entitlements,  travel  and  other  expense  reimbursements. 


Policies  and 
guidelines  could 
be  improved 


Overall,  we  found  that  the  Office  has  adequate  systems  to  ensure  payments  to  or 
on  behalf  of  Members,  their  staff  and  offices  are  in  accordance  with  established 
policies.  The  systems  are  operating  as  intended,  but  the  policies  and  guidelines 
associated  with  the  systems  could  be  improved. 


We  make  recommendations  to  the  Members'  Services  Committee  to  clarify 
these  policies  and  guidelines.  These  recommendations  are  intended  to  result  in 
improved  guidance  to  Members  and  to  further  clarify  the  processes  undertaken 
by  the  Office. 


Clarify  policies 
for  gifts  and 
promotional  items 


The  Members'  Services  Committee  needs  to  clarify  policies  and  guidelines 
governing  purchases  of  gifts  and  promotional  items  by  Members. 


Members 
purchased  a 
variety  of  gift  and 
promotional  items, 
none  of  which 
were  in  violation 
of  policies  and 
guidelines 


Clarify  policies 
for  bonuses  to 
constituency 
employees 


Review 
Temporary 
Residence 
Allowance 


We  found  no  purchases  of  gifts  or  promotional  items  by  Members  that  were 
contrary  to  policies  and  guidelines.  Annual  purchases  of  gifts  and  promotional 
items  by  Alberta's  83  Members  in  2006-2007  totalled  $890,244  (average 
$10,725  per  Member)  and  $990,241  in  2005-2006  (average  $1 1,930  per 
Member).  There  were  various  types  of  gifts  and  promotional  items  purchased; 
some  had  significant  value.  The  most  expensive  single  item  was  a  sculpture 
purchased  for  $  1 ,400  as  a  donation  to  a  museum.  The  least  expensive  items 
purchased  were  pens,  pencils,  pins  and  refrigerator  magnets.  The  current 
guidelines  offer  limited  guidance  on  what  may  be  an  appropriate  item  for  a 
Member  to  purchase  as  a  promotional  item  or  gift. 

The  Members'  Services  Committee  needs  to  clarify  policies  and  guidelines 
governing  Members'  payments  of  bonuses  to  their  constituency  employees.  We 
found  instances  where  Members  provided  bonuses  representing  over  1 00%  of  an 
employee's  annual  wage. 

The  Members'  Services  Committee  also  needs  to  review  whether  the  system 
governing  the  Temporary  Residence  Allowance  is  working  as  intended.  We 
found  four  Members  who  received  a  temporary  residence  allowance  exceeding 
$5,000  for  the  month  of  March  2007. 
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Office  approves 
expense  payments 
to  Members 


Reviewed  expense 
payments  for 
30  Members 


Office  agreed  to 
audit  criteria;  4  of 
5  criteria  met 


Systems  are 
operating  as 
intended,  but 
policies  and 
guidelines  could 
be  improved 


1.2  Audit  objectives  and  scope 

Our  objective  was  to  determine  if  the  Office  has  systems  in  place  to  effectiv  ely: 

•  assess  the  appropriateness  of  expense  payments  to,  or  on  behalf  of 
Members,  their  support  staff,  constituency  or  caucus  offices 

•  ensure  that  transactions  are  processed  in  accordance  with  established 
policies  and  directives 

The  scope  of  this  audit  was  to  examine  Members'  expenses  for  fiscal  years 
ended  March  31,  2006  and  March  31,  2007.  We  examined  payments  to  Members 
associated  to: 

•  travel  expenses 

•  temporary  residence  allowance 

•  constituency  office,  communication  and  promotional  expenses 
We  also  examined  office  expenses  for  all  caucuses. 

We  selected  a  sample  of  30  Members  taking  into  consideration  the  composition 
of  the  Legislative  Assembly  by  party  as  well  as  a  mix  of  urban  and  rural 
representatives.  We  examined  supporting  documentation  for  these  30  Members. 

1.3  Conclusions 

We  frame  our  overall  conclusion  about  the  Office's  systems  in  terms  of  three 
questions: 

•  Do  adequate  systems  exist? 

•  Are  the  systems  well  designed? 

•  Do  the  systems  operate  as  intended? 

To  provide  a  structure  for  our  work,  we  developed  and  agreed  with  management 
on  5  audit  criteria  to  use  as  standards  for  our  audit.  At  the  end  of  the  audit,  we 
use  these  same  criteria  to  assess  the  Office's  systems.  We  concluded  that  the 
Office  met  4  criteria,  and  partly  met  1  criterion. 

We  concluded  that  the  Office  has  adequate  systems  to  ensure  that  payments 
made  to  or  on  behalf  of  Members  are  in  accordance  with  established  policies  and 
guidelines.  The  systems  are  operating  as  intended.  However,  the  policies  and 
guidelines  designed  to  assess  the  appropriateness  of  expense  payments  could  be 
improved  by  clarifying  guidance  to  Members  about  purchases  of  gifts,  and 
payroll  bonuses  made  to  constituency  employees.  Also  the  temporary  residence 
allowance  needs  to  be  reviewed  to  ensure  the  system  is  working  as  intended. 
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Members' 
Services 

Committee  should 
decide  what  is 
suitable 


The  current  policies  and  guidelines  governing  the  purchase  of  gifts  and 
promotional  items  are  too  general.  As  a  result,  the  Office  must  assess  the 
suitability  of  a  gift.  The  Members'  Services  Committee  should  preserve  its 
discretion  to  assess  the  suitability  of  Member  purchases  and  not  expect  the 
Office  to  do  so.  Clear  and  detailed  policies  and  guidelines  will  minimize  the 
need  for  the  Office  to  interpret  the  rules. 

The  following  table  details  the  criteria  we  used  for  our  audit,  and  our  assessment 
of  the  Office's  performance  against  those  criteria: 


Criteria 

Conclusion 

Met 

Partly 
met 

Recommendation 

1 .  There  should  be  clearly 
documented  policies  and 
processes  communicated  to  the 
appropriate  parties 

1     C  1 

1.5.1 
1.5.2 

2.  Payments  should  be  made  only 
in  accordance  with  legislation, 
guidelines  and  policies 

3.  Records  should  contain 
sufficient  documentation  to 
demonstrate  the  necessary 
compliance  to  policies 

/ 

4.  There  should  be  adequate 
controls  to  ensure  compliance 
with  policies 

/ 

5.  There  should  be  processes  to 
recover  non-compliant 
transactions 

Guidelines  for 
purchases  of  gifts, 
and  bonuses  to 
constituency 
employees  need  to 
be  clarified 


Criterion  1 — clearly  documented  policies 

This  criterion  was  partially  met.  The  Order1  dealing  with  expenditures  on  gifts 
and  promotional  items  and  dealing  with  remuneration  to  constituency  employees 
needs  to  be  clarified.  The  section  of  the  Order  addressing  the  purpose  of  gifts 
has  not  changed  since  1992,  although  the  budgeted  amount  for  gifts  has 
increased  during  the  last  15  years.  The  Order  states  the  promotion  allowance 
may  be  used  to  purchase  items  such  as  flags,  pins  and  gifts  considered 
appropriate  by  the  Member.  We  found  a  wide  range  of  items  purchased — from 
pens  and  pencils  to  works  of  art,  and  all  were  within  the  current  policies  and 
guidelines.  We  also  found  instances  where  Members  provided  bonuses  of  over 


1  Constituency  Services  Order  RMSC  1992,  c.  C-l  of  the  Consolidated  Members'  Services  Committee  Orders 


186 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 — Audits  and  recommendations 


Offices  of  the  Legislative  Assembly 


100%  of  constituency  employees'  wages.  See  Recommendation  1 .5. 1 


Guidelines  for 
Temporary 
Residence 
Allowance  need  to 
be  reviewed 


The  Order  dealing  with  temporary  residence  is  needlessly  complex.  The 
purpose  of  the  allowance  is  to  offset  reasonable  costs  incurred  by  the  Member  to 
arrange  accommodation  in  the  capital.  In  March  2007,  eligible  Members 
received  the  monthly  Capital  Residence  Allowance  more  than  once  in  the  month 
and  received  the  daily  sessional  allowance  in  the  same  calendar  month;  one 
Member  received  a  total  of  $5,425  for  the  month  and  three  Members  received 
$5,075.  See  Recommendation  1.5.2. 


Payments  made  in 
accordance  with 
requirements 


Criterion  2 — expense  payments  in  accordance  with  legislation 

This  criterion  was  met.  In  reviewing  expense  payments  made  to  the 
30  Members,  we  found  they  were  in  accordance  with  existing  legislation'  and 
Orders.  We  found  the  Office  kept  a  good  record  of  the  various  entitlements  a 
Member  can  receive. 


Good  records  are 
kept 


Controls  are  in 
place 


Criterion  3 — records  contain  sufficient  documentation 

This  criterion  was  met.  We  found  very  good  supporting  documentation  for 
Member  expenses.  If  a  Member  pays  for  expenses,  he/she  completes  a  personal 
expense  form  outlining  the  expenses.  This  document  is  signed  by  the  Member 
and  submitted  to  the  Financial  Management  and  Administrative  Services 
(FMAS)  division  with  detailed  receipts.  For  purchases  made  through  a  vendor, 
the  Member  completes  a  purchase  order,  signs  it  and  submits  it  to  the  Office 
with  the  vendor's  invoice.  On  occasions  when  a  receipt  or  invoice  did  not 
provide  sufficient  detail,  we  saw  ample  evidence  that  the  Office  contacted  the 
Member's  constituency  office  for  clarification  or  further  documentation. 
Although  there  was  little  or  no  information  to  identify  the  intended  recipients  or 
purposes  of  gift  purchases,  there  is  no  requirement  in  current  policies  and 
guidelines  to  provide  this  information. 

Criterion  4 — adequate  controls  to  ensure  compliance 

This  criterion  was  met.  FMAS  staff  is  well  versed  in  the  legislation  and  Orders 
that  govern  Member  expenses.  We  found  ample  evidence  of  controls  in  place  to 
ensure  compliance.  We  found  when  an  expense  claim  was  unusual,  FMAS  staff 
would  bring  it  to  the  attention  of  their  Director.  In  making  a  decision  as  to 
whether  the  expense  claim  should  be  approved,  the  Director  would  do  any  one 
of  the  following: 


2  Members'  Allowances  Order  RMSC  1992,  c.  M-l  of  the  Consolidated  Members'  Services  Committee  Orders 

3  Legislative  Assembly  Act 
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•  review  previous  decisions  that  are  kept  in  a  database 

•  bring  the  matter  forward  to  parliamentary  counsel 

•  review  correspondence  issued  by  the  Speaker  to  Members 

•  review  Members'  Services  Committee  transcripts  (Hansard)  to  see  what  the 
intention  of  the  committee  was  when  the  Order  was  made 


Very  few  non- 
compliant 
transactions  found 


Members' 
Services 
Committee  sets 
entitlements  for 
Members 


Office  administers 
payments  to 
Members 


Criterion  5 — processes  to  recover  non-compliant  transactions 

This  criterion  was  met.  We  noted  five  instances  where  the  Office  refused  an 
expense  submitted  by  a  Member.  In  all  cases,  the  Member's  expense  claim  was 
adjusted  or  the  Member  reimbursed  the  Office  by  personal  cheque.  FMAS  staff 
scrutinized  the  various  expenses  to  ensure  compliance  with  polices.  Overall 
there  were  very  few  personal  expenses  found  with  Member  expenses. 

1.4  Overview 

Under  the  Legislative  Assembly  Act,  the  Members'  Services  Committee, 
consisting  of  1 1  Members  of  the  Legislative  Assembly,  sets  the  various 
entitlements  a  Member  of  the  Legislative  Assembly  may  receive.  Decisions 
made  by  the  Committee  are  incorporated  into  various  Orders.  The  Committee  is 
traditionally  chaired  by  the  Speaker.  The  Committee  decides  the  entitlement 
amounts  for: 

•  travel  expenses  incurred  on  Member  business 

•  temporary  residence  allowance 

•  Member's  Services  Allowance4  which  covers: 

•  constituency  office  operations 

•  constituency  communications 

•  security  systems  for  Members'  residences 

•  promotion  and  gifts 

•  caucus  office  expenses 

The  Financial  Management  and  Administrative  Services  (FMAS)  division  of  the 
Office  administers  expense  payments  to  support  Members  and  has  some 
discretion  for  reasonability.  The  Human  Resource  Services  division  of  the  Office 
administers  Member  remuneration.  This  includes  a  basic  indemnity5,  tax  free 
allowance,  benefits,  additional  indemnities  and  allowances  based  on  position 
within  the  Legislative  Assembly,  and  membership  on  legislative  and  government 
committees.  Human  Resource  Services  also  administers  remuneration  for  all 
constituency  and  caucus  support  staff. 


The  allowance  is  based  on  a  formula  that  takes  into  account  the  number  of  electors  and  the  population  of  each 
constituency,  plus  an  adjusting  matrix  factor.  The  allowance  was  approximately  $100,000  per  member  in  the  2006/07 
fiscal  year.  Although,  in  some  cases  Members  have  exceeded  their  spending  allowance  by  no  more  than  10%,  there  is  a 
process  in  place  to  recapture  any  overages  in  the  next  year.  In  any  event  we  found  no  circumstances  that  indicated  further 
work  was  required  in  this  area. 

Amount  provided  to  Members  commonly  referred  to  as  a  salary. 


188 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 — Audits  and  recommendations 


Offices  of  the  Legislative  Assembly 


$25.2  million  to 
support  Members 
of  all  parties 


We  reviewed 
travel  and  caucus 
expenses  and 
found  no  problems 


Members  are 
responsible  for 
their  Members' 
Services 
Allowance 


Members  are  in  a  unique  position  as  they  approve: 

•  the  amount  of  remuneration  and  benefits  they  receive 

•  the  amount  of  allowance  for  Member  expenses 

•  their  own  expenses  as  expenditure  officer 

There  are  83  Members  sitting  in  the  Legislative  Assembly  of  Alberta.  In  the  year 
ended  March  31,  2007,  the  Office  distributed  approximately  $25.2  million  to 
support  Members  from  all  parties.  MLA  remuneration  accounts  for 
approximately  80%  of  this  support,  with  the  remaining  amount  being  expense 
payments6. 

We  examined  the  travel  expenses  of  the  30  Members  in  our  sample.  The  Office 
has  a  good  system  in  place  to  deal  with  these  expenses.  There  was  proper 
supporting  documentation  and  review  by  the  Office.  We  also  examined  the 
caucus  expenses  and  found  no  issues  needing  further  review. 

1 .5  Our  audit  findings  and  recommendations 

1 .5.1      Strengthen  policies  for  Members'  Services  Allowance 
Recommendation 

We  recommend  that  the  Members'  Services  Committee  clarify  policies  and 
guidelines  governing: 

•  purchases  of  gifts  by  Members 

•  payments  of  bonuses  to  constituency  employees  by  Members 
Background 

The  Constituency  Services  Order  that  establishes  the  Member's  Services 
Allowance  gives  discretion  to  the  Member.  Each  Member  is  free  to  allocate  their 
Member's  Services  Allowance  in  the  manner  that  he/she  feels  best  serves  the 
constituency. 

The  Constituency  Services  Order  regarding  promotional  items  states  that  the 
allowance  may  be  used  to  pay  for  the  purchase  of: 

•  pins,  flags,  or  other  things  suitable  for  the  Member's  constituents  and 
others,  or 

•  items  suitable  as  gifts  to  be  given  in  the  course  of  the  Member's  duties. 


6  Legislative  Assembly  Office:  Statement  of  Operations  for  the  year  ended  March  31.  2007  and  information  from  the 
Senior  Financial  Officer,  LAO. 
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Broad  guidelines 
for  purchases  of 
gifts,  and  payment 
of  bonuses  to 
constituency 
employees 


Within  this  very  broad  parameter,  general  guidelines  have  been  adopted.  A  gift 
cannot  be  for  the  Member,  for  another  Member  or  bring  disgrace  to  the  Member 
or  the  Legislative  Assembly.  The  Expenditure  Guidelines  for  Members  of  the 
Legislative  Assembly  of  Alberta  prohibit  the  following  items: 

•  cash  donations 

•  cheques,  money  orders,  bank  drafts 

•  livestock,  pets 

•  any  item  with  a  partisan  identification 


The  Member's  Services  Allowance  provides  funds  for  the  payment  of 
constituency  employees.  Within  this  allowance,  there  is  no  limit  to  the  amount 
constituency  employees  can  be  paid.  Members  recruit  their  own  employees  who 
are  hired  through  the  Human  Resource  Services  area  of  the  Office. 

Our  audit  findings — gifts 

The  Office  has  systems  in  place  to  ensure  Member  expenses  comply  with  the 
existing  legislation  and  Order.  The  system  is  operating  as  intended.  However, 
the  policies  and  guidelines  could  be  improved  by  providing  clarification  on  what 
are  eligible  expenses  for  promotions  and  gifts. 


Members  spent 
$890,244  on 
promotional  items 
and  gifts 


Variety  of  gift  and 
promotional  items 
purchased 


For  the  year  ended  March  31,  2007,  the  83  Members  collectively  spent  $890,244 
(average  $10,725  per  Member)  on  promotional  and  gift  items;  for  the  year  ended 
March  31,  2006,  Members  collectively  spent  $990,241 7  (average  $1 1,930  per 
Member).  Members  provide  gifts  to  promote  themselves  as  Members  of  the 
Legislative  Assembly,  their  constituencies,  or  the  Province  of  Alberta. 

We  found  numerous  purchases  of  promotional  items — tokens  such  as  pins,  flags, 
pens,  pencils,  and  refrigerator  magnets.  We  also  found  a  variety  of  other  gifts, 
some  with  significant  value  such  as  an  artwork  for  $  1 ,400  as  a  donation  to  a 
museum,  and  a  glass  sculpture  purchased  for  $  1 ,000  as  a  donation  to  a  charitable 
silent  auction. 


7  This  does  not  include  $415,000  which  was  a  one  time  allowance  of  $5,000  per  Member  for  the  purchase  of  Centennial 
related  promotional  items  at  the  community  level.  Funds  for  this  expenditure  were  provided  by  the  Alberta  Gaming 
Lottery  Fund. 
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Gifts  and 
promotional  items 
in  our  sample 
complied  with 
policies  and 
guidelines 


No  restriction  on 
per  item  cost  or 
total  spending  on 
gifts  within 
Allowance 


Some  Members 
gave  large 
bonuses  to  their 
constituency 
employees 


Members  provided  supporting  documentation  to  FMAS  for  all  of  the  above  gifts, 
including  detailed  invoices/receipts  and  either  an  expense  claim  form  or  a 
purchase  order  signed  by  the  Member.  There  was  little  or  no  indication  who 
received  the  gift  or  why.  However,  all  promotional  and  gift  items  we  examined 
in  our  sample  complied  with  existing  policies  and  guidelines.  We  interviewed 
several  Members.  They  told  us  that  items  purchased  were  for  charitable 
purposes,  recognition  of  community  volunteers  and  community  events.  The 
nature  of  the  gifts  was  consistent  with  the  stated  purpose. 

The  current  policies  need  to  be  reviewed.  It  is  unclear  to  us  what  was 
contemplated  by  the  Members'  Services  Committee  as  being  suitable  when  the 
policies  and  guidelines  were  originally  drafted.  There  is  no  restriction  on  the  per 
item  amount  of  a  gift  or  on  the  portion  of  the  total  Member's  Services 
Allowance  that  can  be  spent  on  gifts  and  promotional  items  in  a  fiscal  year. 

Our  audit  findings — bonuses  to  constituency  employees 

The  Office  has  systems  in  place  to  ensure  Member  expenses  comply  with  the 
existing  legislation  and  Orders.  The  system  is  operating  as  intended.  However, 
the  design  of  the  system  could  be  improved  by  providing  clear  guidelines  in  the 
area  of  constituency  staff  remuneration. 

In  the  2006/2007  fiscal  year,  some  Members  requested  lump  sum  payments  for 
their  constituency  office  employees.  The  requests  by  Members  do  not  indicate 
the  purpose  of  the  payments;  they  are  referred  to  as  either  a  bonus  or  a  lump  sum 
payment.  There  are  no  guidelines  or  criteria  governing  such  requests.  The  only 
restriction  is  the  total  amount  of  funds  available  in  the  Member's  Services 
Allowance.  The  employment  contracts  we  examined  that  were  signed  by  the 
employees  do  not  mention  any  type  of  performance  based  bonus  or  additional 
lump  sum  payments.  Human  Resource  Services  indicated  that  Members  choose 
to  offer  these  payments  for  a  variety  of  reasons: 

•  to  reward  exceptional  performance 

•  to  compensate  employees  for  extra  work  performed  during  the  year 

•  to  allow  employees  to  catch  up  on  pension  contributions 

•  to  compensate  for  lower  base  monthly  earnings 

Four  Members  provided  their  constituency  employees  with  bonuses  in  excessive 
of  $15,000  for  the  year.  In  two  instances,  the  amount  of  the  bonus  equaled  or 
surpassed  the  employees'  total  earnings  for  the  year.  For  example,  one  part  time 
employee  earned  $  1 8,000  and  received  a  bonus  of  $2 1 ,500. 
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Compensation 
plan  introduced  to 
improve  equity  for 
constituency 
employees 


Lack  of  guidelines 
concerning 
bonuses  must  be 
addressed 


On  April  1 ,  2006,  Human  Resource  Services  implemented  the  Constituency 
Office  Compensation  and  Benefit  Plan  (Plan)  which  had  previously  been 
approved  by  the  Members'  Services  Committee.  The  desire  was  to  provide  a 
standard  of  fairness  and  equity  in  the  compensation  package  offered  to  all 
constituency  staff.  The  Plan  introduced  job  descriptions,  a  recommended  pay 
scale  based  on  equivalent  positions  in  the  public  service,  recommended  annual 
performance  reviews  and  recommended  annual  salary  reviews  based  on  merit 
and  market. 

Human  Resource  Services  considers  this  to  be  a  transitional  period  in  terms  of 
implementation  of  the  Plan.  We  encourage  the  Office  to  continue  on  this  path 
and  we  will  review  the  progress  in  this  area  during  future  audit  work.  The 
current  guidelines  that  allow  for  unrestricted  lump  sum  payments  to  be  made  to 
employees  are  counter  to  the  goal  of  equity  and  put  the  integrity  of  the  system  as 
a  whole  at  risk.  Therefore,  guidelines  must  be  implemented  to  limit  such 
payments.  Performance  bonuses  should  be  based  on  measurable  and  commonly 
understood  criteria  that  can  be  consistently  applied  across  all  constituencies. 


Implications  and  risks  if  recommendation  not  implemented 

Failure  to  provide  clarity  in  the  policies  and  guidelines  governing  expenditures 
on  gifts  and  staff  bonuses  may  cause  a  Member  or  the  Legislative  Assembly 
Office  to  misinterpret  what  is  suitable  with  the  result  that  a  Member's  integrity  is 
undermined. 

1.5.2     Temporary  Residence  Allowance 
Recommendation 

We  recommend  that  the  Members'  Services  Committee  review  whether  the 
system  governing  the  Temporary  Residence  Allowance  is  working  as  intended. 


Background 

Members  who  require  temporary  residence8  in  or  near  Edmonton  to  carry  out 

their  duties  are  entitled  to  claim  the  following  allowances: 

•     Sessional  allowance  of  $175  per  day9  when  the  Assembly  is  in  session. 


Members  are  entitled  to  this  allowance  if  their  permanent  residence  is  located  60  kilometers  or  more  from  the  Legislature 
Building.  Members  residing  within  60  kilometers  of  the  Legislature  Building  can  claim  this  allowance  if  they  work  more 
than  12  hours  on  the  day  they  are  claiming  the  allowance. 

Amount  increased  from  $150  to  $175  per  day  on  January  1,  2007 
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Out-of-town 
Members  are 
entitled  to 
allowances  for 
living  expenses  in 
the  capital 


Rules  concerning 
allowances  are 
needlessly 
complex 


•  Non  sessional  allowance  when  the  Assembly  is  not  in  session  or  is 
adjourned  for  more  than  8  days  in  a  session.  The  non  sessional  allowance 
can  be  claimed  in  one  of  two  ways: 

•  $  1 75  per  day  for  each  day  the  Member  is  in  or  near  Edmonton  on 
public  or  official  business  and  maintains  a  temporary  residence,  for  a 
period  not  exceeding  10  days  in  a  partial  month,  or  30  days  in  any  three 
consecutive  months,  or 

•  $1,750  per  calendar  month10  or,  in  the  case  of  a  part  month,  $175  per 
day  in  the  part  month  up  to  a  maximum  of  $1,750,  where  that  Member 
owns  or  leases,  in  the  Member's  own  name,  the  temporary  residence. 
This  option  is  referred  to  as  the  capital  residence  allowance. 

Our  audit  findings — residence  allowance 

We  examined  the  current  system  dealing  with  the  temporary  residence 
allowance.  We  found  the  Order  to  be  needlessly  complex,  particularly  dealing 
with  the  capital  residence  allowance.  The  guidelines  for  the  capital  residence 
allowance  suggest  a  Member  can  claim  $1,750  per  calendar  month.  We  found  55 
of  the  60  Members  who  are  eligible  for  this  allowance  received: 

•  $1,800  in  April  2006  when  the  monthly  capital  residence  allowance  was 
$1,500. 

•  $2,625  in  March  2007  when  the  monthly  capital  residence  allowance  was 
$1,750. 


Changes  in 
sessional  calendar 
have  affected 
allowances 


Changes  in  the  sessional  calendar  have  increased  the  number  of  adjournments 
resulting  in  an  increase  in  the  amount  a  Member  can  receive  for  the  capital 
residence  allowance  in  some  months.  It  appears  Members  are  receiving  a  larger 
amount  under  the  capital  residence  allowance  than  was  intended  when  the  Order 
was  drafted. 


Members  can 
received  more 
than  one 
allowance  in  a 
month 

Members  should 
receive  fair 
compensation 


Under  certain  conditions,  the  current  Order  allows  Members  to  receive  the 
capital  residence  allowance  and  sessional  in  the  same  month.  Between  these  two 
allowances,  we  found  examples  of  one  Member  receiving  $5,425  and  three 
Members  receiving  $5,075  for  the  month  of  March  2007. 

We  are  not  sure  if  the  Members'  Services  Committee  intended  for  a  Member  to 
receive  this  amount  in  a  month  for  a  temporary  residence  allowance.  However, 
we  would  expect  that  a  Member  would  receive  fair  compensation  for  living 
expenses  in  the  capital. 


"'  Amount  increased  from  $1,500  to  $1,750  per  month  on  January  I,  2007 
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Implications  and  risks  if  recommendation  not  implemented 

Failure  to  ensure  that  the  system  works  as  intended  may  result  in  excessive  costs 
to  government  and  may  undermine  the  integrity  of  the  Legislative  Assembly  of 
Alberta. 
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Outstanding  recommendations 

This  is  a  complete  listing  of  numbered  and  unnumbered  recommendations  that 
are  not  yet  implemented. 


Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Cross-Ministry 

Treasury  Board 

2002-03 

p.  27 

Consistency  of  performance  measures  in 
government  and  ministry  business  plans 

Executive  Council 

2004-05 

1  &2 

Recruiting,  evaluating  and  training  boards  of 
directors 

Service  Alberta 

2005-06 

22 

IT  Project  Management 

Advanced  Education  and  Technology 

2005-06 

23 

Effective  monitoring  of  employers  prov  iding 
apprenticeship  training 

2005-06 

Vol.  2, 
p.  12 

Apprenticeship  program — selecting  which 
employers  to  visit  based  on  risk  and 
opportunity 

Grant  MacEwan  College 

2000-01 

39 

2006-07:  19 

Financial  Processes 

Grant  MacEwan  College 

2004-05 

p.  104 

Computer  control  environment 

Grant  MacEwan  College 

Nov.  2006 

N.9 

Post  Secondary  Institutions:  Grant  MacEwan 
College  construction  management 

Grant  MacEwan  College 

Nov.  2006 

N.10 

Post  Secondary  Institutions:  Donations  to 
Grant  MacEwan  College 

Lakeland  College 

Nov.  2006 

N.6 

Contracting  practices:  Contract  policies  and 
procedures 

Lakeland  College 

Nov.  2006 

N.7 

Contracting  practices:  Monitoring  performance 

Lakeland  College 

Nov.  2006 

N.8 

Contracting  practices:  International  studies 

Mount  Royal  College 

2004-05 

p.  100 

Retention  and  severance  agreements 

Mount  Royal  College 

2004-05 

p.  101 

Governance  and  Human  Resources  Committee 
Charter 

Southern  Alberta  Institute 
of  Technology 

Nov.  2006 

N.ll 

Post  Secondary  Institutions:  Southern  Alberta 
Institute  of  Technology  construction 
management 

University  of  Alberta 

1999-00 

35 

2000-  01:  37 

2001-  02:  40 

2002-  03:  34 

Internal  control  systems 

University  of  Alberta 

2003-04 

p.  252 

Strategic  planning  for  Research 

University  of  Alberta 

2005-06 

Vol.  2, 
p.  29 

Campus  security  services 

University  of  Calgary 

2003-04 

26 

Planning  for  research  capacity 

University  of  Calgary 

2003-04 

p.  254 

Research  measures  and  targets 

University  of  Calgary 

2003-04 

p.  257 

2006-07: 
Vol.  2,  p.  15 

Controls  over  sponsored  research  and  trust 
accounts 

University  of  Calgary 

2004-05 

18 

Research  roles  and  responsibilities 

University  of  Calgary 

2004-05 

p.  91 

Research  policies 

University  of  Calgary 

2004-05 

p.  92 

Research  project  proposals 

University  of  Calgary 

2004-05 

p.  93 

Research  project  management 
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Auditee 

Original 

Rpnnrt 

Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

University  of  Calgary 

2004-05 

p.  94 

Accounting  for  research  revenues  and 
expenditures 

University  of  Calgary 

2005-06 

Vol.  2, 
p.  20 

General  computer  control 

University  of  Calgary 

2005-06 

Vol.  2, 
p.  24 

2006-07: 
Vol.  2,  p.  13 

PeopleSoft  security 

University  of  Calgary 

2005-06 

Vol.  2, 
p.  26 

Campus  security  services 

Agriculture  and  Food 

2000-01 

3 

2004-05:  20 

Evaluating  program  success:  grant 
management 

2002-03 

3 

Performance  measurement 

2003-04 

3 

BSE  Report  July  2004:  Risk  assessment  for  the 
agriculture  and  agri-food  industry  in  Alberta 

2005-06 

Vol.  2, 
p.  39 

Verifying  eligibility  for  the  Canada-Alberta 
Fed  Cattle  Set  Aside  program 

2005-06 

Vol.  2, 
p.  40 

Developing  and  monitoring  compliance  with 
an  information  technology  security  policy 

2005-06 

24 

Verifying  eligibility  for  Farm  Fuel  Benefit 
program 

Nov.  2006 

N.12 

Expense  Accounts:  Processes  for  reporting  and 
dealing  with  allegations  of  employee 
misconduct 

Agriculture  Financial 
Services  Corporation 

2005-06 

Vol.  2, 
p.  43 

Information  technology  security 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Children's  Services 

1999-00 

9 

2000-01:  5 

Cost  and  results  of  information 

2001-02 

7 

2002-03:  7 
2004-05:  25 

First  Nation  expense  recoveries 

2001-02 

8 

2002-03:  69 

Contract  Management  Systems 

2001-02 

9 

Risk  assessment  and  internal  audit  services 

2002-03 

6 

2004-05:  25 

First  Nation  Agency  accountability 

2003-04 

7 

Reporting  to  senior  management  on  the 
Delegated  First  Nation  Agencies 

Education 

1998-99 

22 

2001-02:  36 

Risk  management 

2004-05 

27 

2006-07:  23 

(Purchase  of  textbooks)  Savings  generated  by 
Learning  Resources  Centre 

2005-06 

25 

School  board  budget  process 

2005-06 

26 

School  board  interim  reporting — minimum 
standards  and  best  practices 
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Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Energy 

2003-04 

10 

Oil  sands  projects  approvals — incorporating 
risk  into  project  assessment 

2004-05 

28 

2005-06:  27 

Assurance  on  well  and  production  data 

Alberta  Energy  and 
Utilities  Board 

2004-05 

29 

Assurance  systems  for  volumetric  accuracy 

Alberta  Energy  and 
Utilities  Board 

2004-05 

30 

Liability  Management  for  Suspension. 
Abandonment  and  Reclamation  Activities 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Environment 

1998-99 

30 

2000-01:  8 
2004-05:  31 

Financial  security  for  land  disturbances 

2002-03 

12 

2005-06:  29 

Contaminated  sites  information  systems 

2003-04 

13 

Managing  for  results:  Relevancy  and 
sufficiency  of  performance  measures 

2005-06 

1 

Drinking  Water:  Approvals  and  registrations 

2005-06 

2 

Drinking  Water:  Inspection  system 

2005-06 

3 

Drinking  Water:  Waterworks  operators 

2005-06 

4 

Drinking  Water:  Information  systems 

2005-06 

5 

Drinking  Water:  Supporting  Environment's 
drinking  water  goals 

2005-06 

Vol.  1, 
p.  48 

Drinking  Water:  Communicating  with  partners 

2005-06 

28 

Water  Well  Drilling 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Executive  Council 

See  Cross-Ministry — page  197 

Finance 

2005-06 

30a 

Supplementary  Retirement  Plans — assess  the 
annual  and  cumulative  costs  and  risks 

Alberta  Securities 
Commission 

2004-05 

p.  198 

Hosting  and  working  sessions  policies 

ATB 

1999-00 

49 

2000-  01:49 

2001-  02:  17 

2003-  04:  18 

2004-  05:  33 

Strengthening  internal  controls — branch 
operations 

ATB 

2001-02 

16 

2002-03:  16 

Risk  management 

ATB 

2002-03 

15 

2003-  04:  17 

2004-  05:  32 

Lending  policy  compliance 

Health  and  Wellness 

1997-98 

27 

1999-00:  21 
2005-06:  19 

Population-based  funding:  Data  improvement 

1998-99 

19 

1999-00:  39 

Academic  Health:  Governance  and 
accountability 

1998-99 

40 

2003-04:  21 

Heath  care  registration 
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Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

2000-01 

17 

2005-06:  33 

Analysis  of  physician  billing  information 

2001-02 

24 

2003-04:  22 
9005-06-  34 

Information  technology  control  environment 

2001-02 

p.  134 

2002-03:  22 

Control  of,  and  accountability  for,  restricted 
fiindini? 

2002-03 

23,  p. 
1 56  and 
157 

Province  Wide  Services 

2003-04 

23 

Accountahilitv  of  the  Health  Rppions  to  the 
Minister  of  Health  and  Wellness 

2005-06 

17 

RHA  Global  Funding:  Defining  goals  and 

Uvl  1  V7 1  lllClllvv   lll^UiJUl  V  J 

2005-06 

18 

RHA  Global  Funding:  Non-formula  funding 
adnistmeTits 

C1V.1 1  LIO  11 1 1 1  LO 

2005-06 

20 

RHA  Global  Funding:  Funding 
com  mi  mi  rati  oil's 

V\J  XX  XX X 1  UX  1 1 V  CI  I 1  \J  1 1  o 

9Q05-06 

21 

RHA  GlnHal  PunrlincT'  f^nnrrliTiJitinn  of* pflnital 

and  operating  decisions 

^005-06 

Vol.  1, 
p.  147 

RHA  GloHal  Funding*  Ppnodip  analvsis 

l  \  1  l/v   VJ  XVJ  UCIX  X  HI  XVX  X  X  XtL  .   1  Vvl.  1UU1L-  dlldlVijliJ 

9005-06 

Vol.  1, 
p.  158 

RHA  GlnHfll  Funding'  Dornmpntation 

Ivl  Ifi  VJ  XKJ  XJCIX  1  \AXX\XXlXc~. .    1  "  VjV-'UlllwlllClllVjll 

retention 

2005-06 

Vol.  1, 
p.  159 

RHA  Global  Funding:  Data  availability  and 
timeliness 

LllllVllllVLJL} 

2005-06 

Vol.  1, 

n  160 

RHA  Global  Funding:  Resolving  Global 
Fnndinp  issues 

X    U11U111C1  lijOUVO 

2005-06 

31 

2005  Ministry  annual  report — results  analysis 

2005-06 

32 

^OOS  rVtiniQtrv  anniifil  rpnnrt  nprfnrrrifirif'P 

Z. \J \J +j   1V11111SL1  V   dillllldl  1 fcUUl  L        Uvl  L\Jx  J 1  IClllL  V 

measures 

Alberta  Alcohol  and 
Drug  Abuse  Commission 

Nov  2006 

N.l 

V_,UlHl<lClJ.liy  rlddlCCS.  llllC-Hldl  CUlllIUlo 

Alberta  Alcohol  and 
Drug  Abuse  Commission 

Nov  ^006 

N.2 

i        tret r»tin cr  Prctpfir'pc*  A  p a H ptn i c  pff^npnticnc 
anrl  primirifil  rppnrHs  plippks 

Alberta  Alcohol  and 
Drug  Abuse  Commission 

Nov.  2006 

N.3 

Contracting  Practices:  Board  governance 

Alberta  Cancer  Board 

2001-02 

25 

.rYlUClLd  V-dllCCI  DUdlLI  ^IIIIUIUVC  oyoLCllJo  1U1 

managing  cancer  drug  programs) 

Capital  Health 

9005-06 

~>  \J\J 

35 

A  ppnt*£t tp  tin  cinr*i  q  1  xr\TnrrY\atirwi 
zACCUIdLC  lllldllL'Idl  1I11UI IlldllUIl 

Capital  Health  Authority 
and  Calgary  Health 
Region 

2000-01 

p.  135 

Performance  measures  for  surgical  services 

Calgary  Health  Region 

2005-06 

36 

Monitoring  service  provider  compliance  and 
performance 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Infrastructure  and  Transportation 

2003-04 

29 

Monitoring  processes  for  commercial  vehicle 
and  motor  vehicle  inspection 

2003-04 

30 

Licensing  of  commercial  vehicle  and  motor 
vehicle  inspection  facilities  and  technicians 
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Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Nov.  2006 

N.5 

Infrastructure  and  Transportation:  Capital 
grants  to  Metis  Settlements 

International,  Intergovernmental  and  Aboriginal  Relations 

2005-06 

Vol.  2, 
p58 

Agreements  for  locally  engaged  staff 

Nov.  2006 

N.4 

Role  of  Metis  Settlements  Ombudsman 

Municipal  Affairs  and  Housing 

2001-02 

46 

Emergency  preparedness 

2003-04 

p.  265 

2006-07: 
Vol.  2,  p.  138 

IT  Management  controls 

Alberta  Social  Housing 
Corporation 

Oct.  2005 

ASHC  1 

ASHC  Land  Sales  Systems— Oct.  2005: 
Planning  for  land  sales  and  development  in 
Fort  McMurray 

Alberta  Social  Housing 
Corporation 

Oct.  2005 

ASHC2 

ASHC  Land  Sales  Systems— Oct.  2005:  The 
Corporation's  systems  for  selling  land 

Seniors  and  Community  Supports 

Department  and  PDD 
community  boards 

2003-04 

8 

Service  provider  risk  assessment 

Department  and  PDD 
community  boards 

2003-04 

9 

Contract  monitoring  and  evaluation 

Department  and  PDD 
community  boards 

2003-04 

p.  109 

Contracting  framework  and  policies 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Service  Alberta 

2001-02 

22 

2002-03:  20 
2004-05:  37 

Performance  measures 

2003-04 

20 

Contracting  policies  and  procedures 

2004-05 

34 

IT  project  management  of  Registry  Renewal 
Initiative 

2005-06 

37 

Physical  security 

2005-06 

Vol.  2, 
p.  165 

2006-07: 
Vol.  2,  p.  148 

Security  administration 

Also  see  Cross-Ministry — page  197 

Solicitor  General  and  Ministry  of  Public  Security 

1997-98 

34 

2002-03:  40 

Policing  standards 

Alberta  Gaming  and 
Liquor  Commission 

2002-03 

p.  131 

Contract  management  systems — Contracting 
processes 
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Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Sustainable  Resource  Development 

2002-03 

p.  277 

Contracting 

OAAC  A£ 

1 1 

Reforestation:  Performance  information. 

2005-06 

14 

Reforestation:  Performance  information 

2005-06 

15 

Reforestation:  Monitoring  and  enforcement 

2005-06 

16 

Reforestation:  Forest  Resource  Improvement 
Association  of  Alberta 

2005-06 

Vol.  1, 
pl29 

Reforestation:  Seed  inventory 

Natural  Resources 
Conservation  Board 

2003-04 

28 

2006-07:  35 

Rank  compliance  and  enforcement  activities 
based  on  risk  (Confined  feeding  operations) 

Also  see  Recommendations  to  more  than  one  ministry — page  202 

Tourism,  Parks,  Recreation  and  Culture 

2004-05 

p.  203 

Awareness  of  grant  programs  available  (and 
guidelines  for  assessing  Other  Initiatives 
Program  grants) 

2004-05 

p.  205 

Review  of  accounting  (Timeliness  of  grant 
monitoring) 

Wild  Rose  Foundation 

2004-05 

p.  142 

Wild  Rose  Foundation's  systems  for  the 
International  Development  Program 

Treasury  Board 

1996-97 

25 

1997-  98:  41 

1998-  99:  47 

1999-  00:  42 

2000-  01:  45 

2001-  02:  15 

2002-  03:  2 

Corporate  government  accounting  policies 

Also  see  Cross-Ministry — page  1 97 

Recommendations  to  more  than  one  ministry 

Food  Safety 

Regional  Health 
Authorities 

2005-06 

6 

Food  Safety:  RHA  food  establishment 
inspection  programs 

Regional  Health 
Authorities  and  Health 
and  Wellness 

2005-06 

Vol.  1, 
p.  83 

Food  Safety:  Tools  to  promote  and  enforce 
food  safety 

Regional  Health 
Authorities  (supported  by 
Health  and  Wellness 

2005-06 

7 

Food  Safety:  RHA  food  safety  information 
systems 

Regional  Health 
Authorities 

2005-06 

8 

Food  Safety:  Compliance  with  permitting 
legislation 

Agriculture  and  Food 

2005-06 

9 

Food  Safety:  Alberta  Agriculture's 
surveillance  program 

Agriculture  and  Food 

2005-06 

10 

Food  Safety:  Alberta  Agriculture's  inspection 
and  investigation  programs 
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Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Agriculture  and  Food 

2005-06 

Vol.  1, 
p.  94 

Food  Safety:  Alberta  Agriculture's  food  safety 
information  systems 

Health  and  Wellness  and 
Agriculture  and  Food  (in 
cooperation  with  RHAs) 

2005-06 

1  1 

Food  Safety:  Integrated  food  safety  planning 
and  activities 

Regional  Health 
Authorities.  Health  and 
Wellness,  and 
Agriculture  and  Food 

2005-06 

Vol.  1. 
P.  102 

Food  Safety:  Eliminating  gaps  in  coverage 

Health  and  Wellness,  and 
Agriculture  and  Food 

2005-06 

12 

Food  Safety:  Accountability 

Seniors  Care  and  Programs 

Health  and  Wellness 
(working  the  RHAs  and 
Seniors  and  Community 
Supports) 

2004-05 

5 

Seniors  Care  and  Programs,  No.  1 — page  2l>: 
Developing  and  maintaining  standards 

Health  and  Wellness  and 
RHAs  (working  with 
Seniors  and  Community 
Supports) 

2004-05 

6 

Seniors  Care  and  Programs,  No.  2— 
page  3 1 :  Compliance  with  Basic  Service 
Standards 

Health  and  Wellness  and 
RHAs  (working  with 
Seniors  and  Community 
Supports) 

2004-05 

7 

Seniors  Care  and  Programs,  No.  3 — page  34: 
Effectiveness  of  services  in  long-term  care 
facilities 

Health  and  Wellness 
(working  with  RHAs 
with  Seniors  and 
Community  Supports) 

2004-05 

8 

Seniors  Care  and  Programs.  No.  4 — page  35: 
Effectiveness  of  services  in  long-tenn  care 
facilities 

Health  and  Wellness 
(working  with  RHAs 
with  Seniors  and 
Community  Supports) 

2004-05 

p.  61 

Seniors  Care  and  Programs — page  37: 
Information  to  monitor  compliance  with 
legislation 

Health  and  Wellness 
(working  with  RHAs 
with  Seniors  and 
Community  Supports) 

2004-05 

9 

Seniors  Care  and  Programs,  No.  5— 

page  39:  Determining  future  needs  for  services 

in  long-term  care  facilities 

Health  and  Wellness 

2004-05 

p.  62 

Seniors  Care  and  Programs — page  39:  Report 
on  progress  implementing  Continuing  Care 
Strategic  Service  Plans 

Health  and  Wellness  and 
Seniors  and  Community 
Supports 

2004-05 

10 

Seniors  Care  and  Programs,  No.  6 — 
page  45:  Standards  for  services  in  assisted 
living  and  other  supportive  living  settings 

Seniors  and  Community 
Supports 

2004-05 

11 

Seniors  Care  and  Programs — No.  7: 
Developing  and  monitoring  standards  for  the 
Seniors  Lodge  Program 

Seniors  and  Community 
Supports 

2004-05 

12 

Seniors  Care  and  Programs,  No.  S: 
Effectiveness  of  Seniors  Lodge  Program 

Seniors  and  Community 
Supports 

2004-05 

p.  67 

Seniors  Care  and  Programs — page  50: 
Determining  future  needs 
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Auditee 

Original 
Report 
Year 

Original 
Rec. 

Repeated 

Recommendation  subject 

Seniors  and  Community 
Supports 

2004-05 

p.  68 

Seniors  Care  and  Programs — page  55: 
Effectiveness  of  the  Alberta  Seniors  Benefit 
Program 

Seniors  and  Community 
Supports 

2004-05 

13 

Seniors  Care  and  Programs,  No.  9 — page  56: 
Information  to  determine  program  benefits 

Sustainable  Resource  and  Environmental  Management  (SREM) 

Energy,  Environment  and 
Sustainable  Resource 
Development 

2004-05 

14 

Sustainable  Resource  and  Environmental 
Management  (SREM)  Implementation  Plan 
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Government's  response  to  2005-2006 
recommendations 

The  following  are  the  numbered  recommendations  in  our  2005-2006  reports  and  the  government's 
response  to  each  of  them.  The  reports  include: 

Annual  Report  of  the  Auditor  General  of  Alberta  2005-2006  (October  2006)— 37  numbered 

recommendations 

•     Report  of  the  Auditor  General — November  2006 — 12  numbered  recommendations 

Annual  Report  of  the  Auditor  General  of  Alberta  2005-2006 

Drinking  Water 

1 .  Approvals  and  registrations 

We  recommend  that  the  Department  of  Environment  make 
its  system  to  issue  approvals  and  registrations  more 
effective  by: 

•  Strengthening  supporting  processes  such  as  training, 
manuals,  checklists,  and  quality  control  for  approvals 
and  registrations, 

•  Ensuring  that  applications  are  complete  and 
legislatively  compliant, 

•  Documenting  important  decisions  in  the  application 
and  registration  processes, 

•  Processing  applications  and  conversions  promptly, 

•  Maintaining  consistency  in  the  wording  of  approvals 
and  registrations  across  the  province,  and 

•  Following  up  short-term  conditions  in  approvals. 

2.  Inspection  system 

We  recommend  that  the  Department  of  Environment 
improve  its  drinking  water  inspection  processes  by: 

•  Applying  the  same  inspection  frequency  targets  to  all 
waterworks  regulated  by  the  Environmental 
Protection  and  Enhancement  Act, 

•  Ensuring  inspectors  receive  sufficient  training  in 
waterworks  systems  and  operations, 

•  Revising  documentation  tools  and  practices,  including 
making  them  more  risk  focused,  and 

•  Informing  operators  promptly  of  inspection  results, 
ensuring  operators  respond  appropriately,  and 
concluding  on  each  inspection. 
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Accepted.  During  the  next  two  years,  the  Department 
will  update  manuals  and  internal  forms,  improve 
documentation  practices,  and  implement  a  process  to 
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Volume  2 


Government's  response  to  2005-2006  recommendations 


5. 


Waterworks  operators 

We  recommend  that  the  Department  of  Environment, 
working  with  its  drinking  water  partners,  update  its 
strategies  to  deal  with  the  province's  needs  for  certified 
water  treatment  operators. 

Information  systems 

We  recommend  that  the  Department  of  Environment 
improve  the  infonnation  systems  used  to  manage  its 
drinking  water  businesses  by: 

•  Updating  EMS  forms  and  improving  reporting 
capacity, 

•  Coordinating  regional,  district,  and  personal 
information  systems  to  avoid  overlap  and  encourage 
best  practice,  and 

•  Using  data  to  improve  program  effectiveness  and 
efficiency. 

Supporting  Environment's  drinking  water  goals 

We  recommend  that  the  Department  of  Environment 
ensure  that  is  legislation,  programs,  and  practices  support 
its  new  drinking  water  goals.  This  includes: 

•  Clarifying  how  approvals  will  move  facilities  towards 
current  standards, 

•  Delivering  central  initiatives  that  enhance  the  drinking 
water  program, 

•  Determining  how  the  Department  should  promote 
policy  initiatives  such  as  regionalization,  including  the 
financing  of  those  initiatives, 

•  Establishing  how  the  Department  can  partner  with 
others  while  mitigating  the  risks  inherent  in 
partnering,  and 

•  Reinforcing  a  "beyond  compliance"'  mindset  with 
Department  staff. 


Accepted.  The  Department  will  enhance  its  support  of 
this  program. 


Accepted  in  principle.  During  the  next  two  years,  the 
Department  will  update  fonns  and  coordinate  regional 
systems. 


Accepted.  The  Department  will  continue  to  review  and 
update  its  legislation,  programs  and  business  practices. 
In  addition,  the  Department  will  continue  to  work  with 
Infrastructure  and  Transportation  to  provide  funding  for 
regional  water  distribution  systems. 


Food  Safety 

6.    RHA  food  establishment  inspection  programs 

We  recommend  that  the  regional  health  authorities 
improve  their  food  establishment  inspection  programs.  In 
particular,  regional  health  authorities  should: 

•  Inspect  food  establishments  following  generally 
accepted  risk  assessment  and  inspection  frequency 
standards, 

•  Ensure  that  inspections  are  consistently  administered 
and  documents, 

•  Follow  up  critical  violations  promptly  to  ensure  that 
food  establishments  have  corrected  those  violations, 

•  Use  their  enforcement  powers  to  protect  Albertans 
from  the  highest  risk  food  establishments,  and 

•  Periodically  reinforce  independence  and  conflict  of 
 interest  policies  amongst  public  health  inspectors. 


Accepted.  Health  and  Wellness  will  be  meeting  with 
the  Regional  Health  Authorities  to  generate  a  plan 
regarding  the  inspection  of  food  establishments. 
Development  of  a  provincial  strategy  and  policies 
would  assist  in  clearly  outlining  expectations  for 
inspection  frequency  standards  and  follow  up  on 
critical  violations.  It  is  important  to  note  however,  that 
there  is  generally  no  accepted  practice  for  how  often 
certain  establishments  should  be  inspected. 
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7.  RHA  food  safety  information  systems 

We  recommend  that  the  regional  health  authorities, 
supported  by  the  Department  of  Health  and  Wellness, 
improve  their  automated  food  safety  information  systems. 
This  includes: 

•  Enhancing  system  management,  security,  and  access 
control, 

•  Ensuring  data  consistency, 

•  Ensuring  that  service  level  agreements  are  in  place, 
and 

•  Developing  reporting  capacity  for  management  and 
accountability  purposes. 

8.  Compliance  with  permitting  legislation 

We  recommend  that  the  regional  health  authorities  ensure 
that  their  food  establishment  permitting  practices  comply 
with  legislation  and  are  efficient. 

9.  Alberta  Agriculture's  surveillance  program 

We  recommend  that  the  Department  of  Agriculture,  Food 
and  Rural  Development  improve  the  administration  of  its 
food  safety  surveillance  program.  This  includes: 

•  Documenting  its  prioritization  processes, 

•  Involving  partners  in  the  prioritization  of  projects, 

•  Ensuring  conditions  for  the  approval  of  specific 
projects  are  met  and  final  approval  recorded, 

•  Capturing  costs  for  large  projects, 

•  Monitoring  the  impact  of  surveillance  projects,  and 

•  Considering  whether  regulatory  support  for  the 
program  is  required. 

10.  Alberta  Agriculture's  inspection  and  investigation 
programs 

We  recommend  that  the  Department  of  Agriculture,  Food 
and  Rural  Development  improve  its  inspection  and 
investigation  programs  by  ensuring: 

•  It  considers  a  broader  range  of  enforcement  tools, 

•  Inspections  are  up-to-date,  and 

•  Practices  for  complaints,  incident  reports,  and  held 
tags  are  consistent. 


Accepted.  Health  and  Wellness  is  currently  working 
with  the  Regional  Health  Authorities  on  an  initiative 
that  is  developing  outcome  measures/report ing 
requirements  for  environmental  health.  This  project 
includes  food  safety  as  a  component  of  environmental 
health.  The  final  report  is  due  at  the  end  of 
December  2006. 


Accepted.  Health  and  Wellness  will  be  meeting  with 
Regional  Health  Authorities  to  generate  a  plan 
regarding  food  establishment  permitting  practices. 

Accepted.  The  Department  has  implemented  a 
risk-based  priority  setting  and  project  tracking  process. 
This  includes  a  system  for  documentation  and  approval 
tracking,  and  continues  to  be  refined  to  better  involve 
stakeholders  in  the  process  (stakeholder  communication 
plan  will  be  available  by  April  2007).  Costs  for  larger 
surveillance  projects  are  being  tracked  utilizing 
financial  tools  available  to  the  Department.  As  better 
tools  become  available,  the  accuracy  will  improve. 
Outcomes  of  surveillance  projects  are  assessed  to 
determine  if  interventions  are  warranted  and  the 
impacts  of  these  interventions  will  be  assessed. 


Accepted.  The  Department  has  initiated  the 
development  of  a  proposed  Agricultural  Product  (Food) 
Safety  and  Quality  Act  and  will  be  undertaking 
extensive  consultations  with  stakeholders  in  2007  on  its 
development.  Considerations  will  be  given  to  the 
inclusion  of  additional  enforcement  authorities  or  tools. 
A  new  audit  program  in  provincially  licensed  meat 
facilities  has  been  implemented  to  enhance  inspection 
effectiveness. 

Regular  timely  inspections,  incident  reports,  and  held 
tags  directives  are  now  in  place  to  ensure  consistency  in 
actions  by  all  staff  in  the  Regulatory  Services  Division. 
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11.  Integrated  food  safety  planning  and  activities 

We  recommend  that  the  Departments  of  Health  and 
Wellness  and  Agriculture,  Food  and  Rural  Development, 
in  cooperation  with  the  regional  health  authorities  and 
federal  regulators,  improve  integrated  food  safety  planning 
and  cooperation  on  food  safety  activities  and  initiatives. 
This  includes: 

•  Each  provincial  ministry  defining  its  own  food  safety 
policies,  objectives,  and  measures, 

•  Coordinating  provincial  food  safety  policies  and 
planning  so  initiatives  are  integrated, 

•  Ensuring  provincial  approaches  align  with  initiatives 
being  developed  through  federal/provincial/territorial 
committees, 

•  Improving  day-to-day  coordination  of  provincial  food 
safety  activities, 

•  Encouraging  the  joining  application  of  HACCP  and 
HACCP  related  programs  in  Alberta,  and 

•  Improving  cooperation  and  working  relationships 
among  provincial  and  federal  partners  such  as  the 
First  Nations  and  Inuit  Health  Brand  and  the  Canadian 
Food  Inspection  Agency. 

12.  Accountability 

We  recommend  that  the  Departments  of  Health  and 
Wellness  and  Agriculture,  Food  and  Rural  Development 
further  develop  their  capacity  for  food  safety 
accountability  in  Alberta.  This  includes  ensuring  that 
information  systems  can  produce  the  accountability 
information  that  the  two  ministers  need,  both  for 
individual  ministerial  accountability  and  for  integrated 
cross-ministry  purposes. 


Reforestation 

13.  Performance  information 

We  recommend  that  the  Department  of  Sustainable 
Resource  Development  produce  appropriately  timed 
reforestation  performance  reports  to  confirm  the 
effectiveness  of  its  regulatory  activities. 


Accepted.  As  members  of  Canada  Alberta  Partners  in 
Food  Safety,  Health  and  Wellness  (H&W)  and 
Agriculture  and  Food  (AF)  work  closely  with  the 
federal  government  and  the  Regional  health  Authorities 
(RHAs)  on  issues  such  as  meat  and  dairy  inspection; 
food  safety  training  programs;  Hazard  Analysis  Critical 
Control  Point  (HACCP_  implementation;  co-ordination 
of  responses  in  food  safety  emergencies  and  laboratory 
services;  and  improve  and  integrate  food  safety 
activities  and  objectives.  AF  is  further  defining  and 
strengthening  its  objectives  and  measures  for  its  goal 
"Continued  excellence  in  food  safety,,  (next  revision 
June  2007),  and  H&W  is  currently  working  with  the 
RHAs  to  develop  outcome  measures  for  food  and  other 
areas  under  the  Environmental  Health  Reportable 
Measures  Initiative  (final  report  in  December  2006). 
H&W  and  AF  are  working  to  ensure  that  government 
policies  are  aligned  with  Federal/Provincial/Territorial 
initiatives. 


Accepted.  Agriculture  and  Food  (AF)  is  upgrading  and 
expanding  its  data  systems  to  improve  data 
management,  analysis  and  ability  to  share  animal  health 
and  food  safety  data  (multiple  projects  envisioned 
through  2010). 

The  current  Environmental  health  Reportable  Measures 
Initiative  will  provide  recommendations  regarding  the 
necessary  data  element  requirements,  and  a  proposed 
Environmental  Health  Strategic  Plan  will  include  a 
review  of  the  existing  data  systems  and  future  program 
needs  as  a  first  step  in  developing  the  system  needed  to 
address  accountability.  Health  and  Wellness  and  AF 
will  focus  on  developing  measures  to  demonstrate  the 
effectiveness  of  the  food  safety  system  and  improve 
ministerial  accountability  through  the  development  of 
an  Alberta  Safe  Food  Strategy. 


Accepted.  By  March  2007,  the  Department  will 
develop  appropriate  reforestation  progress  reports  that 
will  be  used  to  assess  performance. 
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14.  Performance  information 

We  also  recommend  that  the  Department  of  Sustainable 
Resource  Development: 

•  Strengthen  its  quality  control  process  for  performance 
information,  and 

•  Re-examine  whether  achieving  the  target  for 
reforestation  rate  in  harvested  areas  indicates 
satisfactory  reforestation. 


Accepted.  The  Department  will  add  procedures  to  the 
small  operator  manual  to  clarify  responsibilities  for 
reporting  reforestation  activities.  In  2006-2007,  the 
Department  will  include  a  procedure  in  its  Forest 
Operations  Monitoring  Protocol  to  cross  check  the 
results  from  regeneration  surveys  with  the  data  in  the 
Alberta  Regeneration  Information  System.  A  procedure 
will  also  be  added  to  help  ensure  all  cutblocks 
harvested  and  their  subsequent  treatments  are  entered 
into  the  Alberta  Regeneration  Information  System.  In 
2007-2008,  the  Department  will  initiate  a  review  of  the 
appropriateness  of  the  reforestation  performance 
measure. 


15.  Monitoring  and  enforcement 

We  recommend  that  the  Department  of  Sustainable 
Resource  Development  strengthen  its  monitoring  of 
reforestation  activities  by: 

•  Bringing  more  rigour  to  the  review  of  forestry 
operator  plans, 

•  Making  its  field  inspection  program  more  effective, 
and 

•  Promptly  identifying  and  correcting  non-compliance 
with  legislation. 


16.  Forest  Resource  Improvement  Association  of  Alberta 

We  recommend  the  Department  of  Sustainable  Resource 
Development  enter  into  a  memorandum  of  understanding 
with  the  Forest  Resource  Improvement  Association  of 
Alberta  to  clarify  the  Department's  accountability 
expectations. 


Accepted.  The  Department  will  continue  work  to 
increase  the  efficiency  and  effectiveness  of  its 
monitoring  and  enforcement  of  reforestation  activities. 
In  2006-2007,  the  Department  will  complete  a  Forest 
Operations  Protocol  that  will  include  a  comprehensive, 
risk-based  reforestation  monitoring  component.  The 
Department  will  also  strengthen  the  enforcement 
component  in  its  reforestation  training  courses  and  will 
strengthen  processes  to  promptly  identify 
non-compliance  with  legislation. 


Accepted.  By  March  2007,  the  Department  will  work  to 
develop  a  memorandum  of  understanding  with  the 
Forest  Resource  Improvement  Association  of  Alberta  to 
clarify  expectations  and  reporting  requirements.  The 
agreement  will  also  clarify  the  Department's  role  in  the 
monitoring  of  the  Forest  Resource  Improvement 
Association  of  Alberta  in  relation  to  specific  programs 
administered  by  the  Association. 


Regional  Health  Authority  Global  Funding 

17.  Defining  goals  and  performance  measures 
We  recommend  that  the  Department  of  Health  and 
Wellness  clarify  the  goals  and  performance  measures  for 
its  Regional  Health  Authority  Global  Funding 
methodology. 


18.  Non-formula  funding  adjustments 

We  recommend  that  the  Department  of  Health  and 
Wellness  analyze  the  non-formula  funding  adjustments  to 
ensure  their  consistency  with  the  goals  of  Global  Funding. 
Issues  arising  from  this  analysis  should  be  resolved. 


Accepted  in  principle.  Regional  Health  Authority 
(RHA)  funding  allocation  goals  will  be  clearly 
articulated  in  written  documentation  and  communicated 
to  RHA  Chief  Executive  Officers  for  feedback  and 
discussion  (by  March  2007).  Performance  indicators  for 
measuring  how  well  the  key  goals  are  being  achieved 
will  also  be  set  to  the  extent  possible. 


Accepted.  The  Department  will  analyze  and  document, 
on  an  annual  basis,  all  non-formula  funding 
adjustments  to  ensure  their  consistency  with  the 
objectives  of  Global  Funding. 
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19.  Data  improvement 

We  again  recommend  that  the  Department  of  Health  and 
Wellness  continue  to  improve  the  data  used  in  the 
Regional  Health  Authority  Global  Funding  calculations. 

(1997-1998-  No.  27) 

20.  Funding  communications 

We  recommend  that  the  Department  of  Health  and 
Wellness  improve  the  timeliness  of  its  funding 
communications  to  the  regional  health  authorities. 

21.  Coordination  of  capital  and  operating  decisions 

We  recommend  that  the  Department  of  Health  and 
Wellness  ensure  that  capital  and  operating  funding 
decisions  for  regional  health  authorities  are  coordinated. 


Accepted.  The  Department  will  continue  its  ongoing 
efforts  to  ensure  the  quality  and  timeliness  of  data  used 
in  the  regional  health  authority  funding  allocation 
methodology. 

Accepted  in  principle.  When  possible,  Regional  Health 
Authorities  will  be  informed  of  their  preliminary  or 
actual  budget  allocation  in  sufficient  time  to  allow  for 
the  finalization  of  their  annual  health  plans. 

Accepted  in  principle.  It  is  recognized  that  health 
infrastructure  project  have  significant  implications  for 
the  operational  funding  requirements  of  health  regions. 
Health  and  Wellness  will  work  with  regions  to  develop 
a  policy  framework  for  ensuring  that  adequate 
operational  resources  will  be  available  for  new 
facilities. 


Cross-Ministry 

22.  IT  project  management 

We  recommend  that  the  Deputy  Minister  of  Restructuring 
and  Government  Efficiency  provide  guidance  to  Deputy 
Ministers  and  their  Chief  Information  Officers  on  their 
responsibilities  for  overseeing  information  technology 
projects. 


Accepted.  Restructuring  and  Government  Efficiency 
introduced  these  recommendations  to  the  Chief 
Information  Officers  (CIO)  council  in  July  2006  from 
which  a  CIO  sub  committee  was  established  to  define 
and  direct  efforts  necessary  to  ensure  clarification  and 
recognition  of  project  sponsors'  responsibilities  for 
information  technology  project  management.  The  sub 
committee  will  meet  and  an  action  plan  will  be 
established  to  ensure  awareness  of  the  Auditor  General 
recommendations  and  to  develop  roles  and 
responsibilities  of  each  ministry. 


Advanced  Education 

23.  Effective  monitoring  of  employers  providing 
apprenticeship  training 

We  recommend  that  the  Department  of  Advanced 
Education  improve  its  monitoring  of  employers  providing 
apprenticeship  training  by: 

1 .  improving  the  accuracy  of  its  information  on  active 
employers, 

2.  ensuring  that  its  records  of  the  visits  by  its  staff  to 
employers  are  available  to  its  field  staff  and 
management,  and 

3.  improving  its  performance  evaluation  of  staff  carrying 
out  these  visits. 


Accepted.  The  Department  will  ensure  that  its 
processes  relating  to  the  employer  visits  are  improved 
by  March  2007,  including  making  field  staff  aware  of 
past  compliance  issues  at  worksites  and  providing  them 
with  information  about  employers  with  the  potential  for 
training  opportunities.  The  Department  will  also  review 
criteria  for  evaluating  field  staff  performance  in  relation 
to  the  achievement  of  program  goals. 
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Agriculture,  Food  and  Rural  Development 

24.  Verifying  eligibility  for  Farm  Fuel  Benefit  program 

We  recommend  that  the  Department  of  Agriculture.  Food 
and  Rural  Development  improve  its  administration  of  the 
Alberta  Farm  Fuel  Benefit  program  by: 

•  verifying  information  on  completed  program 
application  forms,  and 

•  requiring  applicants  to  regularly  renew  their 
registration  in  the  program. 


Education 

25.  School  board  budget  process 

We  recommend  that  Alberta  Education  improve  the  school 
board  budget  process  by: 

•  Providing  school  boards  as  early  as  possible  with  the 
infonnation  needed  to  prepare  their  budgets  (e.g. 
estimates  of  operating  grant  increases  and  new  grant 
funding,  and  comments  on  financial  condition  evident 
from  their  latest  audited  financial  statements). 

•  Requiring  school  boards  to  use  realistic  assumptions 
for  planned  activities  and  their  costs  and  to  disclose 
key  budget  assumptions  to  their  trustees  and  the 
Ministry. 

•  Establishing  a  date  for  each  school  board  to  give  the 
Ministry  a  trustee-approved  revised  budget  based  on 
actual  enrolment  and  prior  year  actual  results. 

•  Re-assessing  when  and  how  the  Ministry  should  take 
action  to  prevent  a  school  board  from  incurring  an 
accumulated  operating  deficit. 

26.  Interim  reporting — minimum  standards  and  best 
practices 

We  recommend  that  Alberta  Education  work  with  key 
stakeholder  associations  to  set  minimum  standards  for  the 
financial  monitoring  information  provided  to  school  board 
trustees. 

We  also  recommend  that  Alberta  Education  work  with  the 
key  stakeholder  associations  to  provide  information  to 
trustees  about: 

•  the  characteristics  of  a  strong  budgetary  control 
system 

•  best  practices  for  fulfilling  financial  monitoring 
responsibilities 


Accepted.  Plans  and  processes  arc  well  underway  for  a 
renewal  that  will  commence  in  2006.  It  is  anticipated 
that  the  renewal  process  will  be  continuous  with  one- 
third  of  the  registrants  renewing  their  eligibility  each 
year.  A  new  partnership  arrangement  between  the 
Department  and  the  Agriculture  Financial  Services 
Corporation  (AFSC)  will  involve  AFSC  in  the  renewal 
process.  AFSC  will  be  able  to  assist  in  the  verification 
of  applications  by  accessing  infonnation  relating  to  the 
programs  that  they  deliver  such  as  the  Canadian 
Agriculture  Income  Stabilization  Program,  production 
insurance  and  lending  programs. 


Accepted  in  principle.  Alberta  Education  is  committed 
to  working  with  representatives  from  school 
jurisdictions  to  ensure  that  school  trustees  and 
administrators  are  provided  with  comprehensive  and 
timely  information  to  enable  them  to  make  informed 
decisions  that  take  into  account  local  priorities  and 
conditions  while  maintaining  the  integrity  of  provincial 
policies  and  priorities.  The  implications  of  the 
recommendations  will  be  assessed  in  consultation  with 
stakeholders.  The  Department  will  explore  strategies  to 
deal  with  the  concerns  identified  to  ensure 
implementation  of  effective  and  practical  frameworks 
to  enable  informed  decision  and  making  at  a 
jurisdictional  level. 


Accepted.  Alberta  Education  will  assist  key  stakeholder 
associations  to  establish  minimum  standards  for  interim 
reporting  to  trustees  and  to  provide  information  to 
trustees  about  the  characteristics  of  a  strong  budgetary 
control  system  and  best  practices  for  fulfilling  their 
financial  monitoring  responsibilities.  We  expect  to 
exercise  a  leadership  role,  while  respecting  the 
autonomy  and  assigned  responsibilities  of  jurisdictional 
authorities.  Given  the  diversity  of  school  jurisdictions 
and  the  potential  impact  of  this  recommendation  on 
boards  and  their  administrations,  implementing  this 
recommendation  will  require  extensive  consultation 
with  stakeholders. 
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Energy 

27.  Assurance  on  well  and  production  data 

We  again  recommend  the  Department  of  Energy: 

•  complete  its  risk  assessment  and  evaluate  the 
assurance  obtained  from  the  Petroleum  Registry 
System  and  the  Department's  controls  over  well  and 
production  data; 

•  communicate  to  the  Alberta  Energy  and  Utilities 
Board  how  much  assurance,  if  any,  the  Department 
needs  over  the  completeness  and  accuracy  of  well  and 
production  data. 


Accepted.  The  Department  of  Energy  and  the  Alberta 
Energy  and  Utilities  Board  (EUB)  have  formed  two 
joint  committees  to  identify  the  volumetric  data 
elements  and  evaluate  the  potential  risk  of  those  data 
elements  in  the  calculation  of  royalty.  The  EUB  will  be 
advised  of  those  data  elements  which  are  considered  to 
have  the  highest  risk  to  the  accurate  calculation  of 
royalties. 

It  should  be  note,  however,  that  in  the  Ministry's 
opinion,  the  calculation  of  royalty  based  on  the 
production  reported  is  in  all  respects  materially 
accurate. 


Environment 

28.  Water  Well  Drilling 

We  recommend  that  the  Department  of  Environment 
improve  its  system  to  regulate  water  well  drilling  by: 

•  Ensuring  that  drillers  and  drilling  companies  meet 
approval  requirements; 

•  Implementing  controls  to  ensure  that  water  well 
drilling  reports  are: 

•  received  on  time, 

•  complete  and  accurate,  and 

•  accurately  entered  into  the  Groundwater 
Information  System; 

•  Obtaining  assurance  that  water  well  drilling  activities 
in  the  field  meet  legislated  standards. 

29.  Contaminated  sites  information  system 

We  again  recommend  that  the  Ministry  of  Environment 
implement  an  integrated  information  system  to  track 
contaminated  sites  in  Alberta. 
(2002-2003  -  No.  12) 

Finance 

30.  Supplementary  Retirement  Plans  (SRPs) 

We  recommend  that  the  Department  of  Finance  assess  the 
annual  and  cumulative  costs  and  risks  associated  with 
Supplementary  Retirement  Plans.  Further,  we  recommend 
that  the  Department  review  the  Treasury  Board  Directives 
to  ensure  that  the  amount  disclosed  as  the  total 
compensation  of  each  senior  executive  includes 
Supplementary  Retirement  Plan  benefits  earned  in  the 
year. 


Accepted.  The  Department  will  update  and  enhance  our 
processes  related  to  water  well  drilling. 


Accepted  in  principle.  During  the  next  three  years,  the 
Department  will  implement  a  system  related  to 
contaminated  sites. 


Under  review.  Finance  and  Treasury  Board  are 
currently  reviewing  the  recommendation  ad  anticipate 
the  review  to  be  complete  in  2007. 
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Health  and  Wellness 

31.  2005  Ministry  annual  report  results  analysis 

We  recommend  that  the  Ministry  of  Health  and  Wellness 
explain  and  quantify  annually — in  its  annual  report — key 
factors  affecting  health  care  costs. 


Accepted.  Information  presented  can  be  improved  to 
enhance  accountability  for  health  care  costs.  Adequacy 
of  information  for  reporting  is  subjective  and  there  is  a 
need  to  balance  between  high  level  and  detailed 
information. 


32. 


33. 


34. 


Performance  measures 

We  recommend  that  the  Ministry  of  Health  and  Wellness 
link  health  costs  to  outputs  for  the  Ministry  as  a  whole — in 
its  annual  report. 


Analysis  of  physician  billing  information 

We  recommend  that  the  Department  of  Health  and 
Wellness  strengthen  its  processes  to  analyze  and 
investigate  anomalies  in  physician  billing  information. 
(2000-2001  -No.  17) 

Information  technology  control  environment 

We  again  recommend  that  the  Department  of  Health  and 
Wellness  carry  out  a  comprehensive  risk  assessment  of  its 
IT  environment,  and  develop  and  implement  an  IT  disaster 
recovery  plan. 
(2001-2002 -No.  24) 


Accepted.  Health  and  Wellness  is  presently  working  on 
a  proposed  new  reporting  structure  as  part  of  the  three- 
year  health  authorities"  plan  that  will  improve  cos1 
disclosure  and  facilitate  the  linking  of  output  measures 
to  costs.  This  reporting  structure  will  take  into  account 
the  need  to  be  consistent  and  cost  effective  in  this 
accountability  process. 


Accepted  in  principle.  Health  and  Wellness  has  taken 
steps  to  acquire  better  analytical  tools  and  more 
professional  staff  to  facilitate  the  analysis  and 
investigation  of  physician  billing  information. 


Accepted  in  principle.  Health  and  Wellness  (H&W)  is 
currently  carrying  out  a  comprehensive  risk  assessment, 
in  the  order  of  business  plan  priorities,  of  all  of  it 
approximately  134  critical  information  systems.  H&W 
will  have  a  partial  disaster  recovery  plan  operating  by 
the  end  of  this  fiscal  year  and  a  full  plan  will  be  in  place 
in  approximately  three  years. 


Regional  Health  Authorities 

35.  Capital  Health:  Accurate  financial  information 

We  recommend  that  management  of  Capital  Health 
provide  its  Audit  and  Finance  Committee  with  complete 
and  accurate  financial  information. 


36.  Calgary  Health  Region:  Monitoring  service  provider 
compliance  and  performance 

We  recommend  that  the  Calgary  Health  Region  monitor  its 
contract  service  provider's  performance  using  the 
servicedevel  standards  and  reporting  timelines  that  the 
Region  and  the  contract  service  provider  agreed  to  in 
May  2006. 


Accepted.  To  ensure  that  estimates  are  as  refined  as 
possible,  management  is  documenting  the  reason  and 
methodology  for  all  significant  estimates.  This  will  be 
reviewed  and  approved  by  a  senior  person  within 
Capital  Health  management.  C  apital  Health  is 
reviewing,  and  where  appropriate,  updating  its  policies 
and  procedures. 


Accepted.  The  Calgary  Health  Region  is  recruiting  to 
fill  five  service  manager  positions  to  support  the 
contract  manager  and  to  monitor  sen  ice  provider 
performance.  The  Calgary  Health  Region  is  presently 
working  with  its  contract  service  provider  to  correct  the 
deficiencies  in  services  and  reporting  identified  by  the 
audit  report. 
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Restructuring  and  Government  Efficiency 

37.  Physical  security 

We  recommend  that  the  Ministry  of  Restructuring  and 
Government  Efficiency  improve  the  environmental  and 
security  controls  of  the  data  centres  it  maintains. 


Accepted.  The  Ministry  has  developed  an  evaluation 
template  to  be  used  to  validate  the  security  and 
environmental  status  of  each  ministry  based  server 
room  in  use  across  the  Government  of  Alberta.  Each 
server  room  will  be  assessed  against  this  template  and 
recommendations  developed  to  bring  each  into  security 
compliance. 


Report  of  the  Auditor  General  of  Alberta — November  2006 


Alberta  Alcohol  and  Drug  Abuse  Commission  (AADAC) — Contracting  practices 


Internal  controls 

We  recommend  that  management  improve  controls  over 
contracting  by: 

•  ensuring  adequate  segregation  of  duties  exists  over  the 
contracting  process 

•  monitoring  and  verifying  contractors'  compliance 
with  contract  terms  and  conditions 


Accepted.  AADAC  has  taken  steps  to  enhance  its 
financial  processes  to  ensure  adequate  segregation  of 
duties  and  has  put  in  place  additional  monitoring  of  the 
terms  and  conditions  of  contracts,  including  the 
establishment  of  an  internal  Contracts  Review 
Committee. 


Academic  credentials  and  criminal  records  check 

We  recommend  that: 

•  for  prospective  employees,  AADAC  verify 
credentials  such  as  university  diplomas  with 
granting  institutions 

•  AADAC  ensure  criminal  records  checks  are 
completed  in  accordance  with  their  policy 


Accepted.  AADAC  has  instituted  new  procedures  to 
verify  all  credentials  with  granting  institutions  and 
ensure  compliance  with  the  Commission's  policy  on 
criminal  record  checks. 


3.     Board  governance 

We  recommend  that  the  Board,  at  least  annually,  receive 
reports  from  management  on  the  design  and  effectiveness 
of  AADAC 's  internal  controls. 


Accepted.  The  Audit  Committee  and  the  Board 
currently  receive  reports  on  internal  controls  and  risk 
management.  We  will  now  ensure  that  this  occurs  on  an 
annual  basis. 


Aboriginal  Affairs  and  Northern  Development — Metis  Settlements  Ombudsman 


Role  of  Metis  Settlements  Ombudsman 

We  recommend  the  Department  of  Aboriginal  Affairs  and 
Northern  Development  review  how  it  handles  the  Metis 
Settlements  Ombudsman  role  and: 

•  ensure  any  contract  for  ombudsman  services  is 
adequately  monitored  and  managed  to  ensure 
government  objectives  are  achieved,  or 

•  establish  an  Office  of  the  Metis  Settlements 
Ombudsman  in  accordance  with  the  Metis 
Settlements  Act  with  corresponding  regulations,  or 

•  provide  ombudsman  services  under  other  such 
processes  or  options  that  maintain  the  principles  of 
independence  and  impartiality. 


Accepted.  The  Department  of  Aboriginal  Affairs  and 
Northern  Development  is  currently  working  on  an 
implementation  plan  to  address  the  recommendation. 
The  implementation  plan  will  be  completed  in  2007. 


214 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 


Government's  response  to  2005-2006  recommendations 


Infrastructure  and  Transportation — Capital  grants  to  Metis  Settlements 


Capital  grants  to  Metis  Settlements 

We  recommend  that  the  Department  of  Infrastructure  and 
Transportation  implement  an  effective  risk-based  system 
to  ensure  that  recipients  of  Rural  Transportation  Grants 
and  Street  Improvement  Program  grants  comply  with  the 
terms  and  conditions  of  those  grants. 


Accepted.  The  Department  of  Infrastructure  and 
Transportation  will  implement  a  more  effecth  e 
risk-based  system  to  ensure  that  recipients  of  the  Rural 
Transportation  Grants  and  the  Streets  Improvement 
Program  grants  comply  with  the  terms  and  conditions 
of  those  grants. 


Lakeland  College — Contracting  practices 

6.     Contract  policies  and  procedures 

We  recommend  that  Lakeland  College  review  and  amend 
its  contract  management  procedures  to  follow  best 
practice,  including,  but  not  limited  to: 

•  conducting  background  checks  on  companies  that 
are  not  known  to  the  College  prior  to  entering  into 
contracts 

•  updating  policy  to  require  employees  to  disclose 
conflicts  of  interest 

•  providing  guidance  on  monitoring  performance 
against  contract  terms 

•  retaining  only  final  signed  version  of  contracts 


Accepted.  We  will  review  our  contract  management 
procedures  and  amend  them  as  necessary.  We  expect  to 
implement  the  recommendation  by  January  31,  2007. 


7.     Monitoring  performance 

We  recommend  that  Lakeland  College  improve 
supervision  of  its  contracting  staff. 


We  also  recommend  that  Lakeland  College  monitor  its 
contract  performance  against  contract  terms,  and 
profitability  of  individual  contracts  in  the  Business  Unit. 


Accepted.  As  noted  in  the  auditor's  findings,  numerous 
meetings  and  corrective  e-mails  supplemented  by 
formal  evaluation  all  took  place  with  the  former 
General  Manager  of  Business  and  Industry  Training. 
Recognizing  that  there  were  some  issues,  management 
further  improved  supervision  by  performing  the 
following: 

As  of  July  1 ,  2006  a  new  position,  Director  of 
Extension  Services,  was  created  to  oversee  the 
operations  of  Business  and  Industry  Training  and 
other  extension  programming. 

Supervision  of  the  General  Manager  of  B.l.T.  was 
always  present  and  increased  in  July.  It  is  also 
important  to  note  in  the  auditors'  findings  that  there 
were  no  concerns  expressed  by  any  of  the  parties 
contracting  with  the  College.  We  will  implement 
additional  reporting  and  monitoring  measures  to  further 
improve  supervision  of  contracting  staff  beginning  in 
January  2007. 

Accepted.  We  will  implement  this  recommendation  by 
January  31,  2007. 


8.     International  Students 

We  recommend  that  Lakeland  College  enforce  its  policy 
for  involvement  with  international  students. 


Accepted.  We  will  commit  to  train  all  deans,  directors 
and  appropriate  managers  at  their  council  meetings. 
This  will  take  place  by  January  3 1 ,  2007. 
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Post  Secondary  Institutions 

9.    Grant  MacEwan  College  construction  management 

We  recommend  Grant  MacEwan  College  ensure  that 
signed  contracts  (interim  or  final)  for  construction 
projects  are  in  place  before  projects  start. 


Accepted.  Improvement  should  be  made  in  the  timing 
of  contract  signing  relative  to  commencement  of 
services.  While  various  parameters  may  not  allow  for 
absolute  contract  completion  prior  to  service 
commencement,  significant  delays  should  not  be 
incurred.  Policies  will  be  adjusted  to  ensure  advance 
services  and  delays  in  contract  signing  are  minimized. 


Donations  to  Grant  MacEwan  College 

We  recommend  that  Grant  MacEwan  College  establish  a 
policy  clearly  indicating  it  will  not  solicit  or  accept 
donations  with  participating  vendors  during  a  tendering 
process. 

Southern  Alberta  Institute  of  Technology 
construction  management 

We  recommend  the  Southern  Alberta  Institute  of 
Technology  ensure  signed  contracts  (interim  or  final)  are 
in  place  for  constaiction  projects  prior  to  services  being 
rendered. 


Accepted.  Procurement  policy  will  be  adjusted  to 
ensure  the  College  avoids  any  conflict  of  interest,  real 
or  perceived,  by  disallowing  bidders  from  providing 
donations  or  gifts  to  the  College  during  the  tender 
process. 


Accepted.  Management  will  investigate  industry 
standard  practices  for  construction  contracts,  report 
back  to  its  Campus  Development  and  Audit 
Committees  and  effect  the  necessary  changes  to  SAIT's 
practices. 


Agriculture,  Food  and  Rural  Development — Expense  accounts 

12.  Processes  for  reporting  and  dealing  with  allegations 
of  employee  misconduct 

We  recommend  that  the  Department  of  Agriculture,  Food     Accepted.  The  Department  will  work  to  develop  and 
and  Rural  Development  improve  its  systems  for  reporting     implement  a  policy  which  will  outline  appropriate 
and  dealing  with  allegations  of  employee  misconduct.         processes  for  reporting  and  responding  to  allegations  of 

employee  misconduct. 
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Reporting  the  status  of  recommendations 

We  require  the  government  to  agree  to  an  implementation  date  for  each  recommendation  it 
accepts.  Typically,  we  do  not  report  on  the  progress  of  an  outstanding  recommendation  until 
management  has  had  sufficient  time  to  implement  the  recommendation  and  we  have  completed 
our  follow-up  audit  work. 


Status  of  recommendation 

Implemented 

Recommendation  repeated 
Progress  report 


What  we  say  in  the  report 

We  briefly  explain  how  the  government  implemented  the 
recommendation. 

We  explain  why  we  are  repeating  the  recommendation  and 
what  the  government  must  still  do  to  implement  the 
recommendation. 

We  provide  information  when  we  consider  it  useful  for  ML  As 
to  understand  management's  actions. 


Recommendations  more  than  3  years  old  are  shown  on  page  218. 
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Recommendations  more  than  3  years  old 

We  use  3  years  as  a  performance  measure  for  when  we  expect  management  to 
implement  our  recommendations.  The  following  table  shows  the  status  of 
numbered  recommendations  more  than  3  years  old.  Currently,  there  are  26 
numbered  recommendations  that  are  not  yet  implemented — we  are  repeating  one 
of  them  in  this  report. 


Total  numbered  Fully  Not  yet 
recommendations 1     Implemented 2  implemented 

1996-  1997                   26  25  1 

1997-  1998                   47  45  2 

1998-  1999                   28  24  4 

1999-  2000                   33  30  3 

2000-  2001                   26  23  3 

2001-  2002                   26  18  8 

2002-  2003                   26  21  5 


26 


This  is  the  recommendation  we  are  repeating  in  this  report: 
Advanced  Education  and  Technology 

•  2006-2007,  No.  19:  Grant  MacEwan  College— Financial  Processes  (2000-2001,  No.  39) 


1  Excludes  repeated  recommendations 

"  Includes  not  repeated  due  to  changed  circumstances 
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Work  of  the  Office 

The  Auditor  General  audits  the  financial  statements  of  every  ministry, 
department,  regulated  fund,  and  provincial  agency.  These  financial  statement 
audits  and  auditing  the  performance  measures  cost  $14.7  million  in 
fiscal  2007.  The  remainder  of  our  resources,  $3.9  million,  was  used  to  perform 
systems  audits  to  improve  the  use  of  public  resources,  as  required  by  section 
19(2)(d)  and  (e)  of  the  Auditor  General  Act. 

There  are  four  sources  that  we  use  to  identify  potential  audit  work  that  could 
improve  the  use  of  public  resources.  These  sources  are: 

•  knowledge  of  public  sector  program  objectives,  risks,  controls  and 
accountability  gathered  over  time  and  specifically  to  plan  current  financial 
statement  audits 

•  information  about  transactions,  assets  and  liabilities  obtained  while  doing 
financial  statement  audits 

•  concerns  expressed  by  MLAs,  legislative  committees  and  the  public 

•  requests  for  assistance  from  management  of  the  organizations  we  audit 

To  get  to  a  manageable  number  of  systems  audits,  we  prioritize  the  potential 
issues  by  considering  whether  our  audit  work  would  result  in 
recommendations  to  improve  the  safety  and  welfare  of  Albertans,  the  security 
and  use  of  the  province's  resources,  or  the  governance  and  ethics  with  which 
government  operations  are  managed. 

We  know  we  can  be  effective  if  we  can  persuade  senior  government  managers 
to  implement  our  recommendations;  we  also  know  that  their  receptiveness  to 
our  suggestions  is  influenced  by  their  perception  of  our  knowledge  and 
experience,  and  our  understanding  of  their  business.  This  is  why  we  work  with 
management  to  identify  issues  and  recommend  solutions  before  the  issues 
become  more  serious  problems. 

Our  follow-up  work  on  recommendations  from  previous  systems  audits  is  an 
in-depth  process  because  we  re-perform  the  audit  testing  to  provide  evidence 
that  the  standards  (criteria)  we  used  for  our  original  audit  are  now  fully  met. 
We  work  with  management  to  obtain  plans  and  timetables  for  implementation 
of  the  recommendations  they  have  accepted,  keeping  in  mind  the  expectation 
that  implementation  should  occur  within  three  years. 

Compliance  with  the  law 

We  are  satisfied  that  the  transactions  and  activities  we  examined  in  financial 
statement  audits  complied  with  relevant  legislative  requirements,  apart  from 
the  instances  of  non-compliance  described  in  this  report.  As  auditors,  we  only 
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test  some  transactions  and  activities,  so  we  caution  readers  that  it  would  be 
inappropriate  to  conclude  that  our  testing  would  identify  all  transactions  and 
activities  that  do  not  comply  with  the  law. 


220 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 


Overview  of  the  Annual  Report 


|  Overview  of  the  Annual  Report 

Guidance  to  readers 

1 .  What  the  report  does 

This  annual  report  describes: 

•  what  the  Alberta  government  and  its  ministries  and  other  entities 
should  do  to  improve  their  systems, 

•  the  results  of  our  financial  statements  audits  of  the  government  and  its 
ministries  and  other  entities,  and 

•  the  results  of  performing  specified  auditing  procedures  (see  Glossary) 
on  ministry  performance  measures. 

2.  Structure  of  the  report 

l  Volume  2  of  this  report  has  a  chapter  for  each  ministry.  If  we  have 

recommendations  for  a  ministry,  its  chapter  has  four  parts: 

•  Summary  highlights  what  a  ministry  must  do  to  improve  its  systems. 

•  Overview  briefly  describes  a  ministry  and  its  agencies,  boards,  and 
commissions. 

•  Scope  explains  the  extent  of  our  work  in  a  ministry — auditing  its 
financial  statements  and  usually,  examining  some  of  its  systems.  We 
choose  which  systems  to  audit  based  on  our  assessment  of  how 
significant  a  system  is  and  the  risk  that  it  may  not  meet  certain 
criteria.  The  greater  the  significance  and  risk,  the  more  likely  it  is  that 
we'll  audit  a  system — for  more  detail,  see  Systems  audit  in  Glossary. 

•  Our  audit  findings  and  recommendations  describes  problems  we 
found  and  solutions  we  recommend.  We  number  what  we  consider  to 
be  our  most  important  recommendations  and  require  a  response  to 
them  from  the  government. 

i 

If  we  have  no  recommendations  for  a  ministry,  the  chapter  is  condensed. 
The  report  also  includes: 

•  a  list  of  this  year's  recommendations — see  Volume  1 ,  page  1 5. 

•  a  Cross-Ministry  chapter  applying  to  several  ministries  or  the  whole 
government — see  Volume  1,  page  171. 

•  a  chapter  on  the  Government  of  Alberta  annual  report — see  Volume  1, 
page  183. 

•  a  summary  of  all  outstanding  recommendations — Volume  2, 
page  197. 

•  a  table  of  outstanding  recommendations  that  are  more  than  three  years 
old — Volume  2,  page  2 1 8. 

•  an  index — Volume  2,  page  267. 

•  a  Glossary  explaining  specialized  words  and  phrases  we  use  in  the 
report — Volume  2,  page  261. 
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Report  subsections 

In  each  chapter,  the  part  called  Our  audit  findings  and  recommendations 
has  a  subsection  for  each  topic  (we  sometimes  combine  shorter 
subsections).  If  we  have  a  recommendation  on  a  topic,  the  subsection 
normally  has  the  following  five  subheadings: 

1 .  Recommendation 

2.  Background 

3 .  Criteria:  the  standards  we  used  for  our  audit 

4.  Our  audit  findings 

5.  Implications  and  risks  if  recommendation  not  implemented 

To  understand  how  these  subsections  fit  together,  it  helps  to  know  how  we 
do  a  systems  audit — for  more  detail,  see  Systems  audit  in  Glossary. 
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Auditor  General  Act 

Chapter  A-46 

Key  sections 

1 1    Auditor  General  as  auditor 
14    Access  to  information 
14.1  Evidence  under  oath 

16  Reliance  on  auditor 

1 7  Special  duties  of  Auditor  General 

18  Annual  report  on  financial  statements 

1 9  Annual  report  of  Auditor  General 

20  Special  reports 
20.1  Assembly  not  sitting 

28  Report  after  examination 

29  Advice  on  organization,  systems,  etc. 

HER  MAJESTY,  by  and  with  the  advice  and  consent  of  the 
Legislative  Assembly  of  Alberta,  enacts  as  follows: 
Auditor  General  as  auditor 
1 1   The  Auditor  General 

(a)  is  the  auditor  of  every  ministry,  department,  regulated  fund  and 
Provincial  agency,  and 

(b)  may  with  the  approval  of  the  Select  Standing  Committee  be  appointed 
by  a  Crown-controlled  organization  or  any  other  organization  or  body 
as  the  auditor  of  that  Crown-controlled  organization  or  other 
organization  or  body. 

RSA  1980  cA-49  sl2;1995  cG-5.5  sl7;  2004  c2  sl(23) 

Access  to  information 

14(1)  The  Auditor  General  is  at  all  reasonable  times  and  for  any  purpose 
related  to  the  exercise  or  performance  of  the  Auditor  General's  powers  and 
duties  under  this  or  any  other  Act  entitled  to  access  to  the  records  of,  and 
electronic  data  processing  equipment  owned  or  leased  by 

(a)  a  department,  fund  administrator  or  Provincial  agency,  or 

(b)  a  Crown-controlled  organization  or  other  organization  or  body  of 
which  the  Auditor  General  is  the  auditor. 
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(2)  The  following  persons  shall  give  to  the  Auditor  General  any 
information,  records  or  explanations  that  the  Auditor  General  considers 
necessary  to  enable  the  Auditor  General  to  exercise  or  perform  the  Auditor 
General's  powers  and  duties  under  this  or  any  other  Act: 

(a)  present  or  former  public  employees,  public  officials  or  personal 
service  contractors; 

(b)  present  or  former  employees,  officers,  directors  or  agents  of  a 
Crown-controlled  organization  or  other  organization  or  body  of  which 
the  Auditor  General  is  the  auditor. 

(3)  The  Auditor  General  may  station  any  employee  of  the  Office  of  the 
Auditor  General  in  the  offices  of 

(a)  a  department,  fund  administrator  or  Provincial  agency,  or 

(b)  a  Crown-controlled  organization  or  other  organization  or  body  of 
which  the  Auditor  General  is  the  auditor, 

for  the  purpose  of  enabling  the  Auditor  General  to  exercise  or  perform  the 
Auditor  General's  powers  and  duties  under  this  or  any  other  Act  more 
effectively,  and  the  department,  fund  administrator,  Provincial  agency, 
Crown-controlled  organization  or  other  organization  or  body  shall  provide 
the  necessary  office  accommodation  for  an  employee  so  stationed. 

(4)  The  Auditor  General  or  an  employee  of  the  Office  of  the  Auditor 
General  who  receives  information  from  a  person  whose  right  to  disclose 
that  information  is  restricted  by  law,  holds  that  information  under  the  same 
restrictions  respecting  disclosure  as  governed  the  person  from  whom  the 
information  was  obtained. 

RSA  1980  cA-49  si 5;  2004  cl5  s5 

Evidence  under  oath 

14.1(1)  In  conducting  an  audit  or  examination  or  performing  any  other  duty 
or  function  under  this  or  any  other  Act,  the  Auditor  General  may  by  a  notice 
require  any  person 

(a)  to  attend  before  the  Auditor  General  to  give  evidence  under  oath  with 
respect  to  any  matter  related  to  the  audit,  examination  or  other  duty  or 
function,  and 

(b)  to  produce  any  records  respecting  the  matter  referred  to  in  the  notice. 
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(2)  [fa  person  fails  or  refuses  to  comply  with  a  notice  under  subsection  ( 1 ), 
the  Court  of  Queen's  Bench,  on  the  application  of  the  Auditor  General,  may 
issue  a  bench  warrant  requiring  the  person  to  attend  before  the  Auditor 
General  in  compliance  with  the  notice. 

(3)  If  a  witness  refuses 

(a)  to  give  evidence  in  compliance  with  a  notice  under  subsection  ( 1 ). 

(b)  to  answer  any  questions  before  the  Auditor  General  pursuant  to  the 
notice,  or 

(c)  to  produce  any  records  referred  to  in  the  notice, 

the  Court  of  Queen's  Bench,  on  the  application  of  the  Auditor  General,  may 
commit  the  witness  for  contempt. 

(4)  A  person  who  is  given  a  notice  under  subsection  ( 1 )  shall  not  be 
excused  from  giving  evidence  or  from  producing  records  on  the  ground  that 
the  evidence  or  records  might  tend  to  incriminate  the  person  or  subject  the 
person  to  a  penalty  or  forfeiture. 

(5)  A  witness  who  gives  evidence  or  produces  records  pursuant  to 
subsection  ( 1 )  has  the  right  not  to  have  any  incriminating  evidence  so  given 
used  to  incriminate  that  witness  in  any  other  proceedings,  except  in  a 
prosecution  for  or  proceedings  in  respect  of  perjury  or  the  giving  of 
contradictory  evidence. 

2004  cl  5  s6 

Reliance  on  auditor 

16(1)  In  this  section,  "regional  authority"  means  a  board  under  the  School 
Act  or  a  regional  health  authority,  subsidiary  health  corporation,  community 
health  council  or  provincial  health  board  under  the  Regional  Health 
Authorities  Act. 

(2)  If  the  Auditor  General  is  not  the  auditor  of  a  regional  authority,  the 
person  appointed  as  auditor 

(a)     must  give  the  Auditor  General,  as  soon  as  practicable  after  completing 
the  audit  of  the  regional  authority,  a  copy  of  the  person's  findings  and 
recommendations  and  a  copy  of  the  audited  financial  statements  and 
all  other  audited  information  respecting  the  regional  authority, 
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(b)  may  conduct  such  additional  work  at  the  direction  and  expense  of  the 
Auditor  General  as  the  Auditor  General  considers  necessary,  and 

(c)  must  co-operate  with  the  Auditor  General  when  the  Auditor  General 
performs  work  for  a  report  to  the  Legislative  Assembly  under 
section  19. 

(3)  A  regional  authority  must  give  a  person  appointed  as  auditor  of  the 
regional  authority  any  information  the  person  requires  for  the  purposes  of 
subsection  (2). 

(4)  If  the  Auditor  General  is  not  the  auditor  of  a  regional  authority,  the 
Auditor  General  may  rely  on  the  report  and  work  of  the  person  appointed  as 
auditor. 

1995  cG-5.5  sl7 

Special  duties  of  Auditor  General 

17(1)  The  Auditor  General  shall  perform  such  special  duties  as  may  be 
specified  by  the  Assembly. 

(2)  The  Auditor  General  shall  perform  such  special  duties  as  may  be 
specified  by  the  Executive  Council,  but  only  if  those  special  duties  do  not 
conflict  with  or  impair  the  exercise  or  performance  of  any  of  the  Auditor 
General's  powers  and  duties  under  this  or  any  other  Act. 

(3)  The  Auditor  General  shall  present  any  report  prepared  by  the  Auditor 
General  under  subsection  (1)  to  the  chair  of  the  Select  Standing  Committee, 
who  shall  lay  the  report  before  the  Assembly  forthwith  if  it  is  then  sitting  or, 
if  it  is  not  sitting,  within  1 5  days  after  the  commencement  of  the  next 
sitting. 

(4)  The  Auditor  General  shall  present  any  report  prepared  by  the  Auditor 
General  under  subsection  (2)  to  the  President  of  the  Executive  Council  and 
afterwards  the  Auditor  General  may,  on  3  days'  notice  to  the  Speaker  of  the 
Assembly,  deliver  copies  of  the  report  to  the  Speaker,  who  shall  forthwith 
distribute  the  copies  to  the  office  of  each  Member  of  the  Assembly. 

(5)  After  the  Speaker  has  distributed  copies  of  the  report  under  subsection 
(4),  the  Auditor  General  may  make  the  report  public. 
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(6)  Despite  subsection  (4).  if  there  is  no  Speaker  or  if  the  Speaker  is  absent 
from  Alberta,  the  Auditor  General  may  give  the  notice  under  subsection  (4 ) 
to  the  Clerk  of  the  Assembly,  who  shall  comply  with  subsection  (4)  as  if  the 
Clerk  were  the  Speaker. 

RSA  1 980  cA-49  s  1 7;  2004  c  1 5  s7 

Annual  report  on  financial  statements 

18(1)  After  the  end  of  each  fiscal  year  of  the  Crown,  the  Auditor  General 
shall  report  to  the  Assembly  on  the  financial  statements  of  the  Crown  for 
that  fiscal  year. 

(2)  A  report  of  the  Auditor  General  under  subsection  ( 1 )  shall 

(a)  include  a  statement  as  to  whether,  in  the  Auditor  General's  opinion, 
the  financial  statements  present  fairly  the  financial  position,  results  of 
operations  and  changes  in  financial  position  of  the  Crown  in 
accordance  with  the  disclosed  accounting  principles, 

(b)  when  the  report  contains  a  reservation  of  opinion  by  the  Auditor 
General,  state  the  Auditor  General's  reasons  for  that  reservation  and 
indicate  the  effect  of  any  deficiency  on  the  financial  statements,  and 

(c)  include  any  other  comments  related  to  the  Auditor  General's  audit  of 
the  financial  statements  that  the  Auditor  General  considers 
appropriate. 

RSA  1980  cA-49  si 8;  1995  c23  s3 

Annual  report  of  Auditor  General 

19(1)  After  the  end  of  a  fiscal  year  of  the  Crown,  the  Auditor  General  shall 
report  to  the  Legislative  Assembly 

(a)  on  the  work  of  the  Office  of  the  Auditor  General,  and 

(b)  on  whether,  in  carrying  on  the  work  of  that  Office,  the  Auditor 
General  received  all  the  information,  reports  and  explanations  the 
Auditor  General  required. 

(2)  A  report  of  the  Auditor  General  under  subsection  (1)  shall  include  the 
results  of  the  Auditor  General's  examinations  of  the  organizations  of  which 
the  Auditor  General  is  the  auditor,  giving  details  of  any  reservation  of 
opinion  made  in  an  audit  report,  and  shall  call  attention  to  every  case  in 
which  the  Auditor  General  has  observed  that 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


227 


Volume  2 


Auditor  General  Act — Key  sections 


(a)  collections  of  public  money 

(i)  have  not  been  effected  as  required  under  the  various  Acts  and 
regulations,  directives  or  orders  under  those  Acts, 

(ii)  have  not  been  fully  accounted  for,  or 

(iii)  have  not  been  properly  reflected  in  the  accounts, 

(b)  disbursements  of  public  money 

(i)  have  not  been  made  in  accordance  with  the  authority  of  a 
supply  vote  or  relevant  Act, 

(ii)  have  not  complied  with  regulations,  directives  or  orders 
applicable  to  those  disbursements,  or 

(iii)  have  not  been  properly  reflected  in  the  accounts, 

(c)  assets  acquired,  administered  or  otherwise  held  have  not  been 
adequately  safeguarded  or  accounted  for, 

(d)  accounting  systems  and  management  control  systems,  including  those 
systems  designed  to  ensure  economy  and  efficiency,  that  relate  to 
revenue,  disbursements,  the  preservation  or  use  of  assets  or  the 
determination  of  liabilities  were  not  in  existence,  were  inadequate  or 
had  not  been  complied  with,  or 

(e)  when  appropriate  and  reasonable  procedures  could  have  been  used  to 
measure  and  report  on  the  effectiveness  of  programs,  those 
procedures  were  either  not  established  or  not  being  complied  with, 

and  shall  call  attention  to  any  other  case  that  the  Auditor  General  considers 
should  be  brought  to  the  notice  of  the  Assembly. 

(3)  In  a  report  under  subsection  ( 1 ),  the  Auditor  General  may 

(a)     comment  on  the  financial  statements  of  the  Crown,  Provincial 

agencies,  Crown-controlled  organizations  or  any  other  organization  or 
body  of  which  the  Auditor  General  is  the  auditor  on  any  matter 
contained  in  them  and  on 

(i)       the  accounting  policies  employed,  and 
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(ii)      whether  the  substance  of  any  significant  underlying  financial 
matter  that  has  come  to  the  Auditor  General's  attention  is 
adequately  disclosed, 

(b)  include  summarized  information  and  the  financial  statements  of  an 
organization  on  which  the  Auditor  General  is  reporting  or  summaries 
of  those  financial  statements,  and 

(c)  comment  on  the  suitability  of  the  form  of  the  estimates  as  a  basis  for 
controlling  disbursements  for  the  fiscal  year  under  review. 

(4)  After  the  end  of  a  fiscal  year  of  the  Crown,  the  Auditor  General  shall 
report  to  the  Legislative  Assembly  on  the  results  of  the  examinations  of  the 
regional  authorities  referred  to  in  section  16. 

(5)  A  report  under  this  section  shall  be  presented  by  the  Auditor  General  to 
the  chair  of  the  Select  Standing  Committee  who  shall  lay  the  report  before 
the  Assembly  forthwith  if  it  is  then  sitting  or,  if  it  is  not  sitting,  within  15 
days  after  the  commencement  of  the  next  sitting. 

(6)  The  Auditor  General  need  not  report  on  deficiencies  in  systems  or 
procedures  otherwise  subject  to  report  under  subsection  (2)(d)  or  (e)  which, 
in  the  Auditor  General's  opinion,  have  been  or  are  being  rectified. 

RSA  1980cA-49sl9;1995  cG-5.5  sl7;1996  cA-27.01  s22 

Special  reports 

20(1)  The  Auditor  General  may  prepare  a  special  report  to  the  Assembly  on 
any  matter  of  importance  or  urgency  that,  in  the  Auditor  General's  opinion, 
should  not  be  deferred  until  the  presentation  of  the  Auditor  General's 
annual  report  under  section  19. 

(2)  A  report  under  this  section  must  be  presented  by  the  Auditor  General  to 
the  chair  of  the  Select  Standing  Committee  who  shall  lay  the  report  before 
the  Assembly  forthwith  if  it  is  then  sitting  or.  if  it  is  not  sitting,  within  15 
days  after  the  commencement  of  the  next  sitting. 

RSA  1980  cA-49  s20 
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Assembly  not  sitting 

20. 1  (1)  When  the  Assembly  is  not  sitting  and  the  Auditor  General 
considers  it  important  that  a  report  presented  to  the  chair  of  the  Select 
Standing  Committee  under  section  17(3),  19(5)  or  20(2)  be  made  available 
to  the  Members  of  the  Assembly  and  to  the  public,  the  Auditor  General 
may,  on  3  days'  notice  to  the  Speaker  of  the  Assembly,  deliver  copies  of  the 
report  to  the  Speaker,  who  shall  forthwith  distribute  the  copies  to  the  office 
of  each  Member  of  the  Assembly. 

(2)  After  the  Speaker  has  distributed  copies  of  the  report  under  subsection 
( 1 ),  the  Auditor  General  may  make  the  report  public. 

(3)  Despite  subsection  (1),  if  there  is  no  Speaker  or  if  the  Speaker  is  absent 
from  Alberta,  the  Auditor  General  may  give  the  notice  under  subsection  (1) 
to  the  Clerk  of  the  Assembly,  who  shall  comply  with  subsection  (1)  as  if  the 
Clerk  were  the  Speaker. 

(4)  Nothing  in  this  section  dispenses  with  the  requirement  of  the  chair  of 
the  Select  Standing  Committee  to  lay  a  report  before  the  Assembly  pursuant 
to  section  17(3),  19(5)  or  20(2). 

2004  cl  5  s8 

Report  after  examination 

28  The  Auditor  General  shall  as  soon  as  practicable  advise  the  appropriate 
officers  or  employees  of  a  department,  Provincial  agency  or 
Crown-controlled  organization  of  any  matter  discovered  in  the  Auditor 
General's  examinations  that,  in  the  opinion  of  the  Auditor  General,  is 
material  to  the  operation  of  the  department,  Provincial  agency  or 
Crown-controlled  organization,  and  shall  as  soon  as  practicable  advise  the 
Minister  of  Finance  of  any  of  those  matters  that,  in  the  opinion  of  the 
Auditor  General,  are  material  to  the  exercise  or  performance  of  the  Minister 
of  Finance's  powers  and  duties. 

RSA  1980  cA-49  s28;  2004  cl5  s9 

Advice  on  organization,  systems,  etc. 

29  The  Auditor  General  may,  at  the  request  of  a  department,  Provincial 
agency  or  Crown-controlled  organization  or  any  other  organization  or  body 
of  which  the  Auditor  General  is  the  auditor,  provide  advice  relating  to  the 
organization,  systems  and  proposed  course  of  action  of  the  department, 
Provincial  agency  or  Crown-controlled  or  other  organization  or  body. 

RSA  1980  cA-49  s29 
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Committees  and  Agents 

Standing  Committee  on  Legislative  Offices 

Reports  issued  under  section  19  of  the  Auditor  General  Act  are  tabled  in  the 
Legislative  Assembly  by  the  Chairman  of  the  Standing  Committee  on 
Legislative  Offices.  Members  of  the  Committee  on  June  14,  2007,  the  day  the 
Assembly  last  adjourned  were: 


Dave  Rodney,  Chair  Richard  Magnus,  Deputy  Chair 

Laurie  Blakeman  Richard  Marz 

Wayne  Cao  Barry  McFarland 

David  Coutts  Raj  Pannu 

Denis  Ducharme  George  VanderBurg 

Jack  Flaherty 


Public  Accounts  Committee 

The  Public  Accounts  Committee  acts  on  behalf  of  the  Members  of  the 
Assembly  in  examining  the  government's  management  and  control  of  public 
resources.  Our  Annual  Report  and  the  ministry  annual  reports  are  used  by  the 
Committee  in  its  examination  of  the  use  and  control  of  public  resources.  The 
members  are: 


Hugh  MacDonald,  Chair 
Bill  Bonko 
Neil  Brown 
Mike  Cardinal 
Harvey  Cenaiko 
Harry  Chase 
Alana  DeLong 
Clint  Dunford 
David  Eggen 


Raymond  Prins,  Deputy  Chair 

Heather  Forsyth 

Denis  Herard 

Art  Johnston 

Richard  Miller 

Dave  Rodney 

Ivan  Strang 

Len  Webber 
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Audit  Committee 


Before  being  tabled,  annual  reports  are  made  available  to  an  Audit  Committee 
in  accordance  with  section  24  of  the  Auditor  General  Act.  The  members  of  the 
Audit  Committee  as  at  the  date  of  this  report,  all  of  whom  were  appointed  by 
Order  in  Council,  are: 


The  Auditor  General's  Office  has  continued  the  policy  of  utilizing  the  services 
of  firms  of  private  sector  chartered  accountants.  These  firms  act  as  our  agent 
under  section  9  of  the  Auditor  General  Act,  and  their  contributions  in 
supplementing  the  staff  resources  of  the  Auditor  General's  Office  are  gratefully 
acknowledged.  Agents  acting  in  respect  of  the  fiscal  year  ended 
March  31,  2007,  were  as  follows: 

BDO  Dunwoody  LLP 

Collins  Barrow  Edmonton  LLP 

Deloitte  &  Touche  LLP 

Ernst  &  Young  LLP 

Hawkings  Epp  Dumont  LLP 

Johnston,  Morrison,  Hunter  &  Co.  LLP 

King  &  Company 

KPMG  LLP 

Meyers  Norris  Penny  LLP 
PricewaterhouseCoopers  LLP 
Young  Parkyn  McNab  LLP 


George  Cornish,  Chair 
Don  Wilson 
John  Watson 
Ted  Allen 


The  Hon.  Lloyd  Snelgrove 
Terry  Gomke 
Tracey  Ball 


Agents 


232 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 


Office  of  the  Auditor  General — Performance  Report 


Results  analysis 

March  31,  2007 
Highlights 

We  had  a  successful  and  challenging  year.  In  addition  to  completing  199  assurance  audits,  we 
conducted  125  systems  audits.  In  Volume  1  of  the  2005-2006  Annua!  Report  of  the  Auditor 
General  (October  2006),  we  reported  the  results  of  four  major  systems  audits:  Drinking  Water, 
Food  Safety,  Reforestation,  and  Regional  Health  Authority  Global  Funding.  Volume  1  also 
included  key  recommendations  on  information  technology  project  management,  information 
system  controls,  monitoring  the  apprenticeship  program,  farm  fuel  benefit  program  eligibility, 
school  board  budgeting,  assurance  on  well  and  production  data  and  royalty  revenue  adjustments, 
and  health  care  costs.  In  the  Report  of  Auditor  General  of  Alberta  (November  2006),  we  released 
results  of  6  other  systems  audits  on  contracting  practices  at  the  Alberta  Alcohol  and  Drug  Abuse 
Commission,  Metis  Settlements  Ombudsman,  capital  grants  to  Metis'  Settlements,  general 
computer  controls  in  colleges,  and  expense  account  abuse  at  Agriculture  and  Food. 

Our  Office  faced  two  significant  challenges:  high  staff  turnover  and  implementing  new  assurance 
auditing  standards  issued  by  the  Canadian  Institute  of  Chartered  Accountants  (CICA).  These  two 
factors  required  us  to  spend  17,000  more  hours  (14%)  than  we  spent  last  year  to  complete  our 
assurance  work. 

The  heated  Alberta  economy  means  that  other  organizations  are  seeking  our  accountants  and 
auditors.  We  lost  21%  of  our  professional  staff,  primarily  at  senior  audit  levels.  Qualified  staff 
are  crucial  to  managing  our  assurance  and  systems  audits  and  overseeing  new  and  temporary 
audit  staff.  New  staff — permanent  and  temporary — increase  the  demand  for  coaching  and 
supervision  from  remaining  senior  audit  staff,  resulting  in  an  increase  in  audit  hours  and  in 
overtime  hours  of  14%. 

Complying  with  the  new  assurance  auditing  standards  resulted  in  more  documentation  describing 
and  analysing  entities'  internal  controls.  We  had  to  conduct  more  procedures  in  assessing  risks 
and  examine  more  transactions,  especially  financial  instruments,  more  closely.  Our  teams  gained 
a  deeper  understanding  of  entities'  risks  and  controls.  We  look  forward  to  capitalizing  on  this 
initial  work  to  achieve  greater  audit  efficiency  and  effectiveness  in  the  future. 

Given  the  changes  in  our  internal  and  external  environments,  we  must  continue  to  focus  on 
managing  our  workload  and  on  obtaining  the  necessary  expertise  at  the  best  cost  available — to 
complete  our  broad  range  of  audits. 
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Mission 

To  identify  opportunities  and  propose  solutions  for  the  improved  use  of public  resources,  and  to 
improve  and  add  credibility  to  performance  reporting,  including  financial  reporting,  to 
Albertans. 

The  Auditor  General  Act  requires  the  Auditor  General,  and  the  staff  of  the  Office  of  the  Auditor 
General  (OAG),  to  provide  independent  reporting  on  government's  management  of,  and 
accountability  practices  for,  the  public  resources  entrusted  to  it. 

In  fulfilling  our  mission,  both  the  Auditor  General  and  his  Office  must  be — and  be  seen  to  be — 
objective.  To  ensure  this  objectivity,  we  are: 

•  independent  of  government 

•  familiar  and  comply  with  accounting  and  auditing  standards  recommended  by  the  Canadian 
Institute  of  Chartered  Accountants 

•  subject  to  professional  ethical,  independence  and  quality  assurance  standards 

Core  businesses 

We  operate  two  separate  but  complementary  core  businesses:  assurance  auditing  and  systems 
auditing: 

1 .  Assurance  auditing — known  as  attest  or  financial  statement  audits 

Assurance  audits  confirm  that  the  performance  reports  of  government  organizations  are 
credible.  We  say  whether  the  consolidated  financial  statements  of  the  province,  and  the 
financial  statements  of  the  ministries,  departments,  funds  and  Provincial  agencies,  are 
presented  fairly  in  accordance  with  applicable  standards.  We  also  check  if  transactions 
comply  with  the  law.  In  addition,  we  examine  and  report  on  non-financial  performance 
measures  that  government  organizations  include  in  their  annual  reports. 

2.  Systems  auditing — known  as  va!ue-for-money  audits 

Systems  audits  examine  financial  and  management  control  systems  of  government 
organizations  to  identify  opportunities  for  improvement.  These  are  the  systems  government 
organizations  use  to  measure  the  effectiveness  of  their  programs  and  to  manage  the  risks  of 
missing  their  objectives  of  economy  and  efficiency. 
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The  Legislative  Assembly  funds  our 
operations.  For  2006-2007,  it  provided 
us  $19,046,000  for  operations  and 
$120,000  for  capital  requirements. 

We  are  returning  $473,000  (2%  of  our 
budget)  to  the  Legislative  Assembly  for 
the  2006-2007  fiscal  year.  This  unspent 
funding  is  mainly  from  postponed 
systems  projects,  which  agents  were 
going  to  do. 

Figure  1  shows  our  approved  budgets 
and  actual  spending  over  the  last 
five  years. 

1 .  Variance  of  this  year's  total  actual  costs  compared  to  the  budget 

Schedule  1  of  our  2006-2007  financial  statements  summarizes  the  costs  by  ministry — for 
the  fiscal  year  ended  March  31,  2007 — of  assurance  and  systems  audits.  We  reported  the 
results  from  much  of  this  audit  work  in  the  2005-2006  Annual  Report  of  the  Auditor 
General  (October  2006),  and  in  the  Report  of  the  Auditor  General  of  Alberta 
(November  2006). 

In  2006-2007,  our  overall  assurance  audit  costs  were  $1.8  million  (14%)  above  budget  while 
our  systems  audit  costs  were  $2.3  million  (37%)  below  budget.  This  is  a  significant  spending 
shift  from  systems  to  assurance  audits.  The  assurance  audits  for  the  ministries  of  Finance. 
Advanced  Education  and  Technology,  and  Health  and  Wellness  exceeded  their  budgets.  This 
was  mainly  due  to  staff  turnover,  high  use  of  temporary  audit  staff,  and  the  new  CICA 
assurance  auditing  standards  (mentioned  in  the  Highlight  section  of  this  analysis). 
Conversely,  our  systems  audits  for  the  ministries  of  Children's  Services,  and  Seniors  and 
Community  Supports,  as  well  as  our  cross-ministry  systems  audit,  were  significantly  under 
budget.  This  was  primarily  due  to  reduced  scope  of  audits  and  audits  postponed  to  future 
years. 

2.  Variance  of  this  year's  total  actual  costs  to  last  year's 

Overall,  actual  total  costs  increased  by  $778,000,  or  4%  over  last  year.  For  the  same  reasons 
as  mentioned  above,  our  overall  assurance  audit  costs  increased  by  $2.4  million,  or  19%,  and 
systems  audit  costs  decreased  by  $1 .6  million,  or  29%. 


Figure  I:  Budgets  Approved  hy  lite  Legislative  Assembly 


-*■  Budget 
-*-  Actual 


2003  2004  2005  2006  2007  2008 
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3.   Variances  by  categories  of  expenses 
3.1  Staff  costs 

Staff  costs  make  up  about  90%  of  our  operating  expenses.  These  comprise  salaries  and 
wages  for  OAG  staff,  employer  benefit  program  contributions,  agent  fees,  temporary  audit 
services,  and  general  advisory  fees. 

3.1.1  Salaries,  wages,  and  employer  contributions 

We  budgeted  for  131  full-time  equivalent  positions  (FTEs)  in  2006-2007.  Due  to  loss  of 
staff,  we  averaged  approximately  117  FTEs  throughout  the  year.  The  vacancy  of  14  FTEs 
reduced  our  salaries  and  wages  costs  by  $997,000  or  10%,  which  was  partially  offset  by 
$109,000  or  1%  higher-than-budgeted  overall  compensation  rate. 

Compared  to  2005-2006,  our  salaries  and  wages  costs  increased  marginally  by  $42,000  or 
0.5%,  which  was  a  4%  overall  increase  in  average  salary  rates,  offset  by  decreases  in  FTEs 
from  122  to  117.  However,  our  employer  contributions  increased  by  $143,000  or  10%,  due 
to  the  employer  premium  rate  increases  on  various  pension  plans  and  medical  benefit  plans. 


Figure  2:  Hours  by  Resource  Type 

I  t  t  |  171.000 
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As  stated  in  our  business 
plan,  the  key  forces  and 
trends  that  shape  our 
auditing  work  are 
responding  to  stakeholder 
expectations  and  keeping 
pace  with  the  changing 
environment.  To  carry  out 
our  audits,  our  challenge 
continues  to  be  building  and 
sustaining  organizational 
capacity.  As  Figure  2 
shows,  although  our  total 
audit  hours  were  consistent 
with  last  year,  due  to  staff  shortages,  we  had  fewer  available  OAG  staff  hours.  This 
reduction  in  hours  was  offset  by  an  increase  in  temporary  audit  services.  We  anticipate  the 
trend  will  continue  given  the  heated  Alberta  economy  and  demand  for  qualified  accountants 
and  auditors.  While  we  will  continue  to  recruit  our  own  staff  for  2007-2008,  we  have 
lowered  our  FTE  budget  from  131  to  122  and  increased  our  temporary  audit  services  budget 
by  $770,000  to  $1,955,000.  We  believe  that  the  trend  to  increased  reliance  on  temporary 
audit  services  must  be  reversed  by  us.  This  is  because  our  ability  to  cost  effectively  meet  the 
expectations  of  Members  of  the  Legislative  Assembly  and  Albertans  is  reduced. 

3.1.2  Agent  and  other  professional  services 

In  the  past  year,  1 1  public  accounting  firms  in  Edmonton,  Calgary,  Fort  McMurray,  Grande 
Prairie,  Lethbridge,  Red  Deer,  and  other  centres  across  the  province  acted  as  our  agents — we 
still  oversee  the  audit  work.  Using  agents  lets  us  gain  skilled  resources  to  meet  peak-period 
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demands,  acquire  cost-effective  specialist  skills,  obtain  a  point  of  reference  for  comparing 
our  methodology  and  costs,  and  save  on  travel  costs. 

In  2006-2007,  agent  fees  were  $3.7  million,  similar  to  2005-2006,  but  below  budget  by 
$387,000  or  10%.  This  budget  surplus  resulted  mainly  from  postponing  10  systems  projects 
due  to  a  lack  of  available  suitable  agents  and  a  lack  of  experienced  OAG  senior  staff  to 
oversee  the  agent  work. 

Hourly  costs  of  accounting  firms  are  approximately  25%  higher  than  our  internal  rates.  Our 
budget  for  2007-2008  for  agent  fees  has  increased  slightly  to  $4.3  million.  This  resulted,  in 
part,  from  an  overall  increase  in  average  hourly  rate  of  6%  over  last  year. 

3.1 .3  Temporary  staff  services 

We  contract  with  public  accounting  firms  for  temporary  audit  staff  during  our  peak  work 
periods.  Up  to  $1,000,000  of  the  budget  will  always  be  required  for  such  services — even  if 
we  can  maintain  the  desired  131  FTEs  for  a  year.  In  2006-2007,  the  cost  of  temporary  staff 
services  was  $2,064,000,  over  budget  by  $879,000  or  74%.  This  was  also  over  last  year's 
spending  by  $747,000  or  57%.  The  increase  directly  related  to  having  fewer  permanent  staff 
than  planned  which  is  evidenced  by  the  reduction  in  salary  costs. 

Due  to  the  market  demand  for  accountants  and  auditors  and  the  challenges  of  finding  and 
keeping  staff,  we  expect  to  continue  to  use  more  temporary  staff  than  we  prefer.  As 
mentioned  in  our  salaries  discussion,  we  have  budgeted  for  higher  spending  on  temporary 
staff  services  for  2007-2008. 

3.1.4  Advisory  services 

Advisory  services  include  fees  for  communications,  legal  counsel,  information  systems,  and 
professional  practices.  In  2006-2007,  overall  advisory  services  were  under  budget  by 
$57,000  or  22%.  Most  of  the  variance  was  due  to  lower-than-anticipated  demand  for  these 
services,  which  depends  on  the  nature  and  number  of  special  or  unusual  issues  that  arise  in  a 
year. 

3.2  Supplies  and  services  expenses 

This  spending  was  slightly  above  budget,  by  $52,000  or  2%,  resulting  from  the  net  of  the 
increases  and  decreases  in  a  number  of  expense  categories.  None  of  the  individual  variances 
were  significant. 

Supplies  and  services  costs  increased  by  $77,900  or  4%  over  2005-2006  due  to  a 
combination  of: 

•  an  increase  in  external  instructor  fees  for  running  more  in-house  training  seminars 

•  an  increase  in  recruitment  advertising  to  alleviate  staff  shortages 

•  an  increase  in  various  hardware  and  software  expenses  for  improving  network  security 

•  a  decrease  in  amortization  due  to  fully  amortizing  more  capital  assets  last  year 
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3.3  Capital  investment 

In  2006-2007,  our  capital  budget  was  mainly  for  technology,  including  computer  servers 
and  network  security  hardware.  Spending  was  $71,000,  below  our  budget  of  $120,000.  The 
surplus  was  mainly  because: 

•  we  increased  the  capital  asset  threshold  from  $2,500  to  $5,000  in  the  spring  of  2006, 
meaning  that  some  purchases  originally  budgeted  under  capital  investment  were 
charged  to  operating  expenses  (impact  about  $27,000) 

•  the  purchase  of  computer  hardware  for  network  security,  while  budgeted  for  in 
2006-2007,  occurred  late  in  2005-2006,  so  the  current-year  budget  was  unused  (impact 
about  $17,000) 

In  2007-2008,  we  plan  to  replace  our  laptop  computers  by  bulk  purchase  and  to  reconfigure 
certain  offices  and  workstations.  We  have  budgeted  $580,000  in  capital  for  these  initiatives. 

4.   Other  performance  information 

Schedule  2  of  our  2006-2007  audited  financial  statements  includes  our  performance 
measures  for  the  period  April  1,  2006  to  March  31,  2007.  We  use  specific  performance 
measures  to  monitor  our  performance  throughout  the  fiscal  year.  These  measures  provide  the 
foundation  for  the  performance  measures  in  this  report. 

As  part  of  our  upcoming  business  planning  process  for  2008-201 1,  we  will  review  and  may 
revise  the  performance  measures  that  we  use  and  report. 

4.1  Issuance  of  reports 

We  issued  our  reports  on  the  2005-2006  consolidated  financial  statements  of  the  province 
and  on  the  2005-2006  Measuring  Up  results  (performance  measures  for  the  province)  on 
target,  in  June  2006.  We  also  met  our  target  of  releasing  90%  of  auditor's  reports  for 
consolidated  entities  with  March  3 1st  year  ends  by  July  15th.  Last  year,  we  raised  our  target 
for  non-consolidated  entities  from  70%  to  80%.  But  we  did  not  meet  this  new  target.  Our 
actual  results  were  67%  for  2006-2007.  However,  the  vast  majority  of  the  audits  completed 
later  are  for  smaller  organizations.  If  smaller  audits  are  excluded,  (less  than  150  hours — 
these  audits  are  typically  less  critical)  our  results  were  78%.  We  will  continue  to  work  with 
the  organizations  we  audit  to  improve  our  audit  completion  performance. 

We  issued  all  but  one  of  our  reports  on  ministry  performance  measures  on  or  before  the 
target  date  of  September  15,  2006.  Although  we  did  not  meet  our  target  of  100%,  the  result 
has  improved  from  last  year's  86%  to  96%  this  year. 
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4.2  Budgets 

Two  of  our  performance  measures  (l.f  &  2.d)  indicate  the  percentage  of  assurance  and 
systems  audit  projects  completed  within  their  original  budgets.  The  2006-2007  results  show 
that  we  missed  our  new  target  of  90%  (up  10  points  from  previous  target  of  80%)  for  the 
number  of  assurance  projects  over  200  hours  completed  within  10%  of  the  budgeted  costs. 
Of  the  158  completed  audits  over  200  hours,  93  (or  59%)  were  under  or  within  10%  of  the 
budget.  In  general,  we  exceeded  assurance  project  budgets  due  to  the  new  assurance  auditing 
standards  and  staff  turnover,  especially  at  the  manager  level.  During  the  year,  we  gained  35 
new  employees;  predictably,  they  needed  increased  supervision  and  on-the-job  training,  thus 
increasing  audit  hours. 

At  58%,  a  4%  improvement  from  last  year,  we  were  also  short  of  our  target  of  70%  of 
systems  audits  completed  within  budget.  Budgeting  for  systems  audits  is  challenging 
because  the  scope  and  hours  depend  largely  on  the  number  and  type  of  issues  encountered 
during  the  audit.  We  continue  to  refine  our  budgeting  process  by  gathering  as  much 
information  as  possible  at  the  planning  stage. 

These  two  measures,  while  useful  from  a  project-management  perspective,  do  not 
necessarily  show  audit  quality  or  effectiveness.  For  example,  an  audit  may  uncover 
significant  issues  that  require  additional  time  to  investigate  and  then  report  to  management. 
Although  this  would  cause  a  budget  overrun,  it  also  produces  a  higher-quality  audit  that  adds 
more  value.  So  we  are  reviewing  the  relevance  of  these  two  measures  as  indicators  of  Office 
performance. 

The  other  two  measures  in  the  budget  (l.g  &  2.e)  compare  the  relative  total  Office  costs  for 
assurance  and  systems  audits.  In  2006-2007,  again  due  to  the  new  assurance  auditing 
standards  and  staff  turnover,  we  missed  our  targets  of  70%  of  costs  to  assurance  audits  and 
30%  to  systems  audits.  Actual  results  were  79%  and  21%  respectively.  While  we  revised  the 
target  to  75%  for  assurance  and  25%  for  systems  for  2007-2008,  we  plan  to  revert  to  the 
original  70-30  targets  for  2008-2009. 

4.3  Recommendations 

We  missed  our  target  for  the  government  to  accept  95%  of  the  numbered  recommendations 
in  our  2005-2006  Annual  Report.  The  actual  result  was  82%  (40  of  49).  We  will  work  with 
the  government  to  improve  results. 
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Also,  we  missed  our  target  of  no  unimplemented  numbered  recommendations  within  3  years 
of  the  government  accepting  them.  As  reported  in  our  2005-2006  Annual  Report  on 
page  250  of  Volume  2,  the  government  had  not  yet  implemented  24  of  our  primary 
recommendations  made  before  2002-2003.  It  was  making  satisfactory  progress  on  21  of  the 
24,  but  unsatisfactory  progress  on  the  remaining  3.  The  ministries  concerned  had  not 
rejected  these  recommendations,  but  progress  was  slower  than  they  had  planned.  Page  218 
of  this  2006-2007  Annual  Report  indicates  that  26  recommendations  made  before 
2003-2004  have  not  yet  been  implemented.  For  25  recommendations,  management  has  made 
satisfactory  progress,  but  for  1 ,  progress  is  unsatisfactory. 

We  met  our  target  of  releasing  our  2005-2006  Annual  Report  in  October  2006. 

4.4  Corporate  initiatives 

We  survey  staff  satisfaction  every  two  years;  the  next  survey  will  be  in  November  2007.  We 
recognize  the  importance  of  staff  morale  and  will  continue  to  improve  the  overall  working 
environment  of  the  Office.  For  example,  we  will  focus  on  increasing  communication  across 
the  Office,  ensuring  workloads  are  fair  and  reasonable,  and  compensation  is  competitive. 

Although  we  did  not  meet  our  target  of  1 00%  for  staff  meeting  their  goals  for  available  time 
spent  on  core  business  functions,  92%  (up  by  4%  from  last  year)  of  individuals  spent  all  of 
their  available  time  on  assurance  audits,  systems  audits  and  staff  functions.  The  employees 
that  did  not  meet  their  targets  are  working  with  their  career  advisors  to  ensure  they  meet 
them  next  year. 

We  strive  to  ensure  our  corporate  service  functions  operate  efficiently.  These  functions 
include  human  resource  management;  training  and  development;  information  technology; 
and  accounting  and  administration.  This  year,  we  again  met  our  target  of  keeping  corporate 
costs  no  higher  than  20%  of  total  Office  costs — they  were  16%. 

The  future 

Next  year  will  present  similar  challenges  and  opportunities  as  last  year  did.  As  part  of  our 
2007-2010  Business  Plan,  we  established  the  following  strategic  priorities  to  meet  them: 
•     Ensure  that  we  deliver  relevant,  high-quality  results — to  maximize  the  value  of  our 

resources,  we  need  to  ensure  that  our  products  are  the  most  relevant  and  useful  to  our  clients 
and  public-sector  management.  This  starts  with  ensuring  that  we  meet  the  requirements  in 
the  Auditor  General  Act.  Then  we  must  select  projects  that  examine  critical  risks.  Allocating 
our  staff  based  on  audit  risk  is  key  to  cost-effectiveness.  We  must  also  identify  the  types  of 
products  we  provide  and  the  best  products  to  meet  expectations  of  Albertans  and  MLAs. 
Ensuring  the  right  mix  of  technical  knowledge  and  expertise  to  provide  high-quality  audits 
will  continue  to  be  a  priority.  We  will  focus  our  resources  on  making  systems  audit 
recommendations  that  result  in  improved: 
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•  governance  and  ethical  behaviour — these  underpin  the  success  of  any  organization 

•  safety  and  welfare  of  Albertans — such  as  food  safety,  water  quality,  and  services  to  seniors 
and  children 

•  security  and  use  of  the  province's  resources — such  as  reforestation 

•  Use  efficient  processes — we  continue  adapting  to  the  changing  standards  that  apply  to 
financial  statement  auditors.  We  will  again  take  on  more  challenging  systems  audits,  despite 
high  staff  turnover.  We  have  experienced  much  internal  change  over  the  last  few  years.  We 
now  need  to  confirm  that  our  processes  are  efficiently  designed  and  that  all  staff  follow 
them.  Being  efficient  lets  us  meet  demands  for  assurance  work  on  the  government's 
financial  statements  and  performance  measures,  and  to  produce  useful  recommendations. 

We  will  place  a  priority  on  working  with  management,  boards  and  audit  committees  of  the 
entities  we  audit  to  encourage  improved  governance  practices.  In  particular,  we  will  focus  on 
improving  their  understanding  of,  and  ability  to  report  on,  the  quality  of  their  internal  control 
systems.  Effective  governance  encourages  strong  controls,  resulting  in  more  efficient  audits. 

•  Respond  to  market  demand  for  our  professional  staff — the  environment  we  operate  in  is 
changing  and  we  face  greater  demands  from  external  organizations  for  our  staff.  Staff 
turnover  is  the  highest  in  eight  years.  Also,  key  audit  executives  have  or  will  soon  be 
retiring,  so  we  need  to  manage  succession  to  ensure  continued  high-quality  leadership  in  the 
Office.  Our  capacity  to  meet  the  expectations  of  our  stakeholders  and  our  business  plan 
goals  depends  on  our  success  in  attracting,  training  and  retaining  good  employees.  It  also 
depends  on  our  ability  to  adapt  to  a  market-driven  increase  in  staff  turnover.  We  need  to 
focus  on  retaining  staff  in  demand  at  other  places.  This  means  continuing  to  give  them 
challenging  work,  a  clear  career  path,  and  competitive  compensation.  Also,  we  will  focus  on 
finding  new  approaches  to  meeting  our  staff  needs  at  a  reasonable  cost. 
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AUDITOR 
GENERAL 


Alberta 


Alberta  Legislature 
Office  of  the  Auditor  General 
Management's  Responsibility  for  Financial  Reporting 


The  accompanying  financial  statements  of  the  Office  of  the  Auditor  General  are  the 
responsibility  of  the  management  of  the  Office. 

The  financial  statements  have  been  prepared  by  management  in  accordance  with  Canadian 
generally  accepted  accounting  principles.  Financial  statements  are  not  precise  since  they  include 
certain  amounts  based  on  estimates  and  judgments.  When  alternative  accounting  methods  exist, 
management  has  chosen  those  it  deems  most  appropriate  in  the  circumstances  in  order  to  ensure 
that  the  financial  statements  are  presented  fairly  in  all  material  respects. 

The  Office  of  the  Auditor  General  maintains  control  systems  designed  to  provide  reasonable 
assurance  as  to  the  effectiveness  and  efficiency  of  operations,  the  relevance  and  reliability  of 
internal  and  external  reporting,  and  compliance  with  authorities.  The  costs  of  control  are 
balanced  against  the  benefits,  including  the  risks  that  the  control  is  designed  to  manage. 

The  financial  statements  have  been  audited  by  Kingston  Ross  Pasnak  LLP,  Chartered 
Accountants,  on  behalf  of  the  members  of  the  Legislative  Assembly. 


Fred  J.  Dunn,  FCA 
Auditor  General 
May  28,  2007 
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Alberta  Legislature 
Office  of  the  Auditor  General 
Financial  Statements 
March  31,  2007 


Auditors'  Report 

Statement  of  Financial  Position 

Statement  of  Operations 

Statement  of  Cash  Flows 

Notes  to  the  Financial  Statements 

Schedule  1 :  Output  Costs  by  Ministry 

Schedule  2:  Other  Performance  Information 
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KINGSTON    ROSS    P  A  S  N  A  K 


May  28,  2007 


AUDITORS'  REPORT 


Edmonton,  Alberta 


To  the  Members  of  the  Legislative  Assembly: 

We  have  audited  the  statement  of  financial  position  of  the  Office  of  the  Auditor  General  as  at 
March  31 ,  2007  and  the  statements  of  operations  and  cash  flows  for  the  year  then  ended.  These 
financial  statements  are  the  responsibility  of  the  Office's  management.  Our  responsibility  is  to 
express  an  opinion  on  these  financial  statements  based  on  our  audit. 

We  conducted  our  audit  in  accordance  with  Canadian  generally  accepted  auditing  standards.  Those 
standards  require  that  we  plan  and  perform  an  audit  to  obtain  reasonable  assurance  whether  the 
financial  statements  are  free  of  material  misstatement.  An  audit  includes  examining,  on  a  test  basis, 
evidence  supporting  the  amounts  and  disclosures  in  the  financial  statements.  An  audit  also  includes 
assessing  the  accounting  principles  used  and  significant  estimates  made  by  management,  as  well 
as  evaluating  the  overall  financial  statement  presentation. 

In  our  opinion,  these  financial  statements  present  fairly,  in  all  material  respects,  the  financial  position 
of  the  Office  of  the  Auditor  General  as  at  March  31 ,  2007  and  the  results  of  its  operations  and  its 
cash  flows  for  the  year  then  ended  in  accordance  with  Canadian  generally  accepted  accounting 
principles  for  public  sector  entities. 


Kingston  Ross  Pasnak  LLP 


Chartered  Accountants 
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Alberta  Legislature 
Of  fice  of  the  Auditor  General 
Statement  of  Financial  Position 
As  at  March  31,  2007 


2007  2006 


Assets 

Audit  fees  receivable  $      1,529,921  $  1,315,850 

Other  receivables  and  prepaids  78,287  122,945 

Capital  assets  (Note  3)  170,328  355,855 


1,778,536       $  1,794,650 


Liabilities 

Accounts  payable                                                     $      1,678,575  $  1,104,694 

Accrued  vacation  pay                                                       1,171.931  1,085,328 

2,850,506  2,190,022 


Net  Assets  (Liabilities) 

Net  liabilities  at  beginning  of  year                                         (395,372)  (329,157) 

Net  cost  of  operations                                                    (15,976,813)  (15,212,853) 

Net  transfer  from  general  revenues                                        15,300,215  15,146,638 

(1,071,970)  (395,372) 

$      1,778,536  $  1,794,650 


The  accompanying  notes  and  schedules  are  part  of  these  financial  statements. 
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Alberta  Legislature 
Office  of  the  Auditor  General 

Statement  of  Operations 
Year  Ended  March  31,  2007 


2007 

2006 

Budget 

Actual 

Actual 

(Note  5) 

Personnel 

Salaries  and  wages  (Note  7) 

$    9,721,000  $ 

8,832,699 

$  8,790,335 

Agent  and  other  audit  services  fees 

4,050,000 

3,663,331 

3,747,528 

Employer  contributions 

1,625,000 

1,603,037 

1,459,636 

Temporary  staff  services 

1,185,000 

2,063,932 

1,316,621 

Advisory  services 

261,000 

203,799 

231,794 

Miscellaneous 

4,000 

3,296 

124,585 

16,846,000 

16,370,094 

15,670,499 

Supplies  and  services: 

Professional  fees,  training  and  development 

755,000 

721,389 

607,382 

Technology  services 

435,000 

477,175 

437,601 

Travel 

395,000 

439,808 

441,618 

Amortization  of  capital  assets 

265,000 

256,602 

316,772 

Materials  and  supplies 

135,000 

134,014 

153,185 

Rental  of  office  equipment 

95,000 

97,588 

87,877 

Telephone  and  communications 

75,000 

68,458 

70,465 

Repairs  and  maintenance 

10,000 

23,329 

20,910 

Miscellaneous 

35,000 

33,442 

38,051 

2,200,000 

2,251,805 

2,173,861 

Total  office  professional  services 

19,046,000 

18,621,899 

17,844,360 

Audit  fee  revenue 

(2,185,000) 

(2,645,086) 

(2,631,507) 

Net  cost  of  operations  for  the  year  (Note  6) 

$  16,861,000  $ 

15,976,813 

$  15,212,853 

The  accompanying  notes  and  schedules  are  part  of  these  financial  statements. 
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Alberta  Legislature 
Office  of  the  Auditor  General 

Statement  of  Cash  Flows 
Year  Ended  March  31,  2007 


2007 

2006 

Operating  transactions: 
Net  cost  of  operations 
Non-cash  transactions: 

Amortization  of  capital  assets 

$  (15,976,813) 
256,602 

$  (15,212,853) 
316,772 

(15,720,211) 

(14,896,081) 

Increase  in  audit  fees  receivable 

Decrease  (increase)  in  other  receivables  and  advances 

Increase  in  accounts  payable 

Increase  in  accrued  vacation  pay 

(214,071) 
44,658 
573,881 
86,603 

(131,160) 
(70,866) 
1 1.533 
93,096 

Net  cash  used  by  operating  transactions 

(15,229,140) 

(14,993,478) 

Capital  transactions: 

Acquisition  of  capital  assets 
Disposal  of  capital  assets 

(71,075) 

(156,871) 
3,711 

rvei  cdsn  useu  oy  (.apiuu  iraiisacuuiis 
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Financing  transactions: 

Net  transfer  from  general  revenues 

15,300,215 

15,146,638 

Net  cash  provided  (used) 

Cash,  beginning  of  year 

Cash,  end  of  year 

$ 

$ 

The  accompanying  notes  and  schedules  are  part  of  these  finanacial  statements. 
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Alberta  Legislature 
Office  of  the  Auditor  General 
Notes  to  the  Financial  Statements 
Year  Ended  March  31,  2007 

Note  1 — Authority  and  Purpose 

The  Auditor  General  is  an  officer  of  the  Legislature  operating  under  the  authority  of  the  Auditor 
General  Act,  Chapter  A-46,  Revised  Statutes  of  Alberta  2000.  General  revenues  of  the  Province 
of  Alberta  fund  both  the  net  cost  of  operations  of  the  Office  of  the  Auditor  General  and  the 
purchase  of  capital  assets.  The  Select  Standing  Committee  on  Legislative  Offices  reviews  the 
Office's  annual  operating  and  capital  budgets. 

The  Office  of  the  Auditor  General  exists  to  serve  the  Legislative  Assembly  and  the  people  of 
Alberta.  The  Auditor  General  is  the  auditor  of  all  government  ministries,  departments,  funds,  and 
Provincial  agencies,  including  regional  health  authorities,  universities,  public  colleges,  and 
technical  institutes.  With  the  approval  of  the  Assembly's  Select  Standing  Committee  on 
Legislative  Offices,  the  Auditor  General  may  also  be  appointed  auditor  of  a  Crown  controlled 
corporation  or  another  organization.  The  results  of  the  Office's  work  are  reported  in  the  Annual 
Report  of  the  Auditor  General  presented  to  the  Legislative  Assembly. 

Note  2 — Significant  Accounting  Policies  and  Reporting  Practices 

These  financial  statements  have  been  prepared  in  accordance  with  Canadian  generally  accepted 
accounting  principles  for  public  sector  entities  and  reflect  the  following  policies  and  practices: 

(a)  Audit  fees 

Audit  fee  revenue  is  recognized  when  billable  assurance  audits  are  performed.  Audit  fees  are 
charged  to  organizations  that  are  funded  primarily  from  sources  other  than  Provincial 
general  revenues,  and  to  regional  health  authorities  audited  with  the  approval  of  the  Select 
Standing  Committee  on  Legislative  Offices.  The  fees  billed  to  the  regional  health  authorities 
only  recover  the  fees  charged  to  the  Office  by  agents. 

(b)  Output  costs 

Schedule  1  provides  detailed  costs  for  two  types  of  output: 

•  Assurance  auditing  results  in  auditor's  reports  on  financial  statements  and  on 
performance  measures. 

•  Systems  auditing  is  undertaken  to  produce  recommendations  for  improved  government 
management  of  and  accountability  for  public  resources  in  the  Auditor  General's  Annual 
Report  to  the  Legislative  Assembly. 

(c)  Expenses  incurred  by  others 

Services  contributed  by  other  entities  in  support  of  the  Office's  operations  are  disclosed  in 
Note  6. 
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(d)  Capital  assets 

Capital  assets  are  recorded  at  cost.  Amortization  is  calculated  on  a  straight-line  basis,  over 
the  estimated  useful  lives  of  the  assets,  at  the  following  rates: 

Computer  hardware  33% 
Computer  software  33% 
Office  equipment  1 0% 

(e)  Pension  expense 

Pension  costs  included  as  part  of  these  statements  refer  to  employer  contributions  for  the 
current  service  of  employees  during  the  year  and  additional  employer  contributions  for 
service  relating  to  prior  years. 

(f)  Valuation  of  financial  assets  and  liabilities 

The  amounts  reported  as  audit  fees  receivable,  other  receivables  and  advances,  accounts 
payable  and  accrued  vacation  pay  approximate  their  fair  values. 


Note  3 — Capital  Assets 


2007 

2006 

Cost 

Accumulated 

Net  Book 

Net  Book 

Amortization 

Value 

Value 

Computer  hardware 

$  804,315 

$  713,155 

S  91,160 

$  239,182 

Computer  software 

271,550 

271,550 

1,700 

Office  equipment 

743,262 

664,094 

79,168 

1 14,973 

$  1,819,127 

$  1.648,799 

S  170.328 

S  355.855 

Note  4 — Defined  Benefit  Plans 

The  Office  participates  in  the  multi-employer  pension  plans:  Management  Employees  Pension 
Plan  and  Public  Service  Pension  Plan.  The  Office  also  participates  in  the  multi-employer 
Supplementary  Retirement  Plan  for  Public  Service  Managers.  The  expense  for  these  pension 
plans  is  equivalent  to  the  annual  contributions  of  $920,767  for  the  year  ended  March  31,  2007 
(2006:  $801,667). 

At  December  31,  2006,  the  Management  Employees  Pension  Plan  reported  a  deficiency  of 
$6,765,000  (2005:  $165,895,000)  and  the  Public  Service  Pension  Plan  reported  a  deficiency  of 
$153,024,000  (2005:  $187,704,000).  At  December  31,  2006,  the  Supplementary  Retirement  Plan 
for  Public  Service  Managers  had  a  surplus  of  $3,698,000  (2005:  $10,018,000). 
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The  Office  also  participates  in  a  multi-employer  Long  Term  Disability  Income  Continuance  Plan. 
At  March  31,  2007,  the  Management,  Opted  Out  and  Excluded  Plan  reported  an  actuarial  surplus 
of  $10,148,000  (2006:  $8,31 1,000).  The  expense  for  this  Plan  is  limited  to  the  annual 
contributions  for  the  year. 

Note  5 — Budget 

The  budget  shown  on  the  statement  of  operations  is  based  on  the  budgeted  expenses  approved  by 
the  Select  Standing  Committee  on  Legislative  Offices  on  March  3,  2006.  The  following  table 
compares  the  Office's  actual  expenditures  to  the  voted  budgets. 

Operating  expenses: 

Voted  budget  $  19,046,000 

Actual  expenses  18,621,899 

Unexpended  $  424,101 


Capital  investments: 

Voted  budget  $  120,000 
Actual  expenditure   71,075 


Unexpended  $  48,925 


Note  6 — Expenses  Incurred  by  Others 

The  Office  had  the  following  transactions  with  other  entities  for  which  no  consideration  was 
exchanged.  The  amounts  for  these  transactions  are  estimated  based  on  the  costs  incurred  by  the 
service  provider  to  provide  the  service. 

2007  2006 


Expenses  incurred  by  Alberta  Infrastructure  and  Transportation 
Accommodation 

Amortization  of  leasehold  improvements 


Expense  incurred  by  the  Legislative  Assembly's  Office 
Audit  fee 


$ 

580,623 

$  503,245 

5,820 

5,820 

$ 

586,443 

S  509,065 

$ 

23,250 

$  20,250 
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Note  7 — Salaries  and  Benefits 

Salaries  and  benefits  of  the  Auditor  General  and  his  Assistants  comprise: 

2007  2006 


Base  Salary1" 

Other  Cash 
Benefits'2' 

Other  Non-cash 
Benefits'3' 

Total 

Total 

Auditor  General141 

$  206,000 

$  3.502 

$  54.593 

$  264.095 

$  219.118 

Assistant  Auditor  General' N 

157.500 

23.000 

33.795 

214,295 

209,349 

Assistant  Auditor  General'6' 

157,500 

35.069 

34,996 

227,565 

217,793 

Assistant  Auditor  General'7' 

145,500 

23.000 

35,517 

204,017 

183.331 

Assistant  Auditor  General'8' 

145,500 

17,000 

33.670 

196.170 

184.021 

Assistant  Auditor  General'1" 

165.981 

$  812.000 

S  101.571 

S  192.571 

S  1.106.142 

$  1.179.593 

Base  salary  comprises  pensionable  base  pay. 

Other  cash  benefits  include  bonuses,  vacation  payments,  and  any  payments  in  lieu  of  employer 
contributions  towards  employee  non-cash  benefits.  Accumulated  vacation  of  $12,069  was  paid  to  the 
Assistant  Auditor  General'6'  (2006:  $12,069) 

Other  non-cash  benefits  include  the  Office's  share  of  all  employee  benefits,  and  contributions  or 
payments  made  on  behalf  of  employees,  including  pension,  health  care,  dental  coverage,  group  life 
insurance,  short  and  long-term  disability  plans,  WCB  premiums,  professional  memberships  and 
tuition. 

Automobile  provided,  no  dollar  amount  included  in  benefits  and  allowances 


Ministry  responsibilities  as  at  March  31,  2007: 
Responsibilities — Health  &  Wellness. 

Responsibilities — Education,  Environment,  Finance,  Service  Alberta,  Sustainable  Resource 
Development,  and  Treasury  Board. 

Responsibilities — Agriculture  and  Food,  Cross-Ministry,  Employment,  Immigration  and  Industry. 
Executive  Council,  Justice,  Seniors  and  Community  Supports,  Solicitor  General,  and  Tourism,  Parks, 
Recreation  and  Culture. 

Responsibilities — Children's  Services,  Energy,  Infrastructure  and  Transportation,  International, 
Intergovernmental  and  Aboriginal  Relations,  Legislative  Assembly,  and  Municipal  Affairs  and 
Housing. 

Position  was  occupied  for  nine  months  in  prior  year  until  the  Assistant  Auditor  General  retired  on 
December  31,  2005.  He  continues  under  contract  to  be  responsible  for  Advanced  Education  and 
Technology. 
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Note  8  Comparative  Figures 

Certain  2006  figures  have  been  reclassified  to  conform  to  the  2007  presentation. 

Note  9  Approval  of  the  Financial  Statements 

These  financial  statements  were  approved  by  the  Auditor  General. 
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Schedule  1 

Alberta  Legislature 
Office  of  the  Auditor  General 
Schedule  of  Output  Costs  h\  Ministry 
For  the  Year  Ended  March  31,  2007 


2007  Budget 

2007  Actuals 

2006  Actuals 

Assurance 

Systems 

Total 

Assurance 

Systems 

Total 

Assurance 

Systems 

Total 

Auditing 

Auditing 

Auditing 

Auditing 

Auditing 

Auditing 

rt'ork  performed  by  Sector: 

Advanced  Education 

$  3,138.000 

$       731.000  $ 

3,869,000 

S  3,431.129 

S       716,080  $ 

4.147.209 

$  2.873,220 

S        519,087  $ 

3.392.307 

and  Technology 

Agriculture  and  Food 

430.000 

143,000 

573.000 

53 VI 1  1 

58.623 

591.734 

357,744 

456.472 

814.216 

Children's  Services 

760.000 

786,000 

1.546,000 

837,179 

269.569 

1.106.749 

730,225 

138.509 

868.734 

Cross-Ministry 

134.000 

1,368,000 

1.502.000 

196,706 

1.163.809 

1.360.515 

140.561 

1.349.314 

1.489.875 

Education 

375.000 

1 49.000 

574.000 

454,723 

27.499 

482.222 

328.801 

336,622 

665.423 

Employment,  Immigration 

580.000 

161,000 

741.000 

743.381 

31.352 

774.733 

533.270 

102.895 

636.165 

and  Industry 

Energy 

413.000 

252.000 

665.000 

598.363 

166,781 

765.144 

387.891 

83,921 

471.812 

Environment 

83,000 

1 50.000 

233.000 

200,742 

242,972 

443.714 

1(12.51 1 

189.372 

291.883 

Executive  Council 

57.000 

69.000 

126.000 

56,355 

11.678 

68.033 

62.882 

16.202 

79.084 

Finance 

1,910,000 

272.000 

2.182.000 

2.424.583 

1 19.657 

2.544.240 

1.940.538 

663.933 

2.604.471 

Health  and  Wellness 

1 .480.000 

567.000 

2.047.000 

1.750,353 

4 1 7,649 

2,168,002 

1,555,493 

314,717 

1.870.210 

infrastructure  and 

470.000 

374.000 

844.000 

376,180 

313.720 

689,900 

474,408 

241.238 

765,646 

Transportation 

International.  Intergov 

106.000 

106.000 

119,346 

64,410 

183.756 

96.464 

2,071 

98,535 

and  Aboriginal  Relations 

Justice  and  Attorney  General 

212.000 

1 5.000 

227.000 

257,744 

8,650 

266.394 

203.963 

40.214 

244.177 

Legislative  Assembly 

70.000 

8.000 

78.000 

107,336 

2,684 

110,020 

78,963 

6,343 

85,306 

Municipal  Affairs  and 

327.000 

34.000 

361.000 

321.647 

50.185 

371.832 

514.014 

103.116 

617.130 

Housing 

Seniors  and  Community 

546.000 

520.000 

1,066,000 

512.365 

4,616 

516.981 

353.417 

249.630 

603,047 

Supports 

Service  Alberta 

644.000 

230.000 

874.000 

639.334 

41.666 

681.000 

583,527 

128.64(1 

712,167 

Solicitor  General 

277,000 

123,000 

400,000 

316.002 

27.495 

343.496 

224.954 

89.130 

314.084 

Sustainable  Resource 

200.000 

124.000 

324.000 

191.473 

137.467 

328.940 

156.790 

320,036 

476.826 

Development 

Tourism,  Park.  Recreation 

371.000 

44.000 

415.000 

339.828 

20.619 

360.447 

329.452 

120.566 

450.017 

and  Culture 

Treasury  Hoard 

293.000 

293.000 

298.793 

IN. (146 

316.839 

2')  v24^ 

241. 245 

S  12.876,000 

s    h.ni.oon  s 

19.046.000 

$  14.706.673 

S     3.915.226  $ 

18,621.894 

S  12,322,333 

S      5.522.027  S 

17.844.360 
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Schedule  2 

Alberta  Legislature 
Office  of  the  Auditor  General 
Other  Performance  Information 

Independent  audits  that  confirm  the  reliability  and  relevance  of  financial  and 

GOAL  ONE 

non-financial  performance  reporting  to  the  Legislative  Assembly 


Performance  measures 


Target 
2006-07 


Actual 
2006-07 


Actual 
2005-06 


Issuance  of  Reports 


1  .a      Issue  our  auditor's  report  on  the  consolidated 

financial  statements  of  the  province  by  June  30th 
each  year.1 


June  30 
2006 


June  22 
2006 


June  20 
2005 


1  .b      Issue  our  specified  auditing  procedures  report  on  the 

Government  of  Alberta's  performance  information  June  30        June  22       June  20 

contained  in  Measuring  Up  by  June  30th  each  year. 1  2006  2006  2005 


1  .c      The  percentage  of  auditor's  reports  on  financial 

statements  for  consolidated  entities  with  March  31st 
year  ends  that  we  issue  by  July  1 5th  each  year. 


90% 


91% 


96% 


1  .d     The  percentage  of  auditor's  reports  for 

non-consolidated  entities  that  we  issue  within  120 
days  of  the  entity's  year  end. 2 


80% 


67% 


70% 


1  .e      The  percentage  of  specified  auditing  procedures 

reports  on  ministry  performance  information  that  we 
issue  by  September  15th  each  year. 


100% 


96% 


86% 


Budgets 

1  .f       The  percentage  of  assurance  auditinq  projects  over 

90%  59%  61% 

200  hours  completed  within  10%  of  budgeted  costs. 
1  .g      The  percentage  of  costs  dedicated  to  assurance 

auditing.  <  70%  79%  69% 


1  Required  by  June  30th  each  year  per  s.  10  of  the  Government  Accountability  Act. 

2  Includes  SUCH  sector  entities. 
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Solutions  to  improve  government  systems,  including  organizations'  systems  for 
goal  two  identifying  and  managing  their  business  risks 


Target  Actual  Actual 

Performance  measures 

2006-07  2006-07  2005-06 

Recommendations 

2. a     The  percentage  of  the  Auditor  General's  primary 

recommendations  accepted. 1                              95%  82%  96% 

2.b     The  number  of  the  Auditor  General's  primary 
recommendations  not  implemented  within  3 

None  24  20 

years  of  acceptance. 

2.c     Release  the  Auditor  General's  Annual  Report  in 

_  r  October      October  2     October  3 

October  of  each  year. 

2006  2006  2005 

Budgets 

2.d    The  percentage  of  systems  auditing  projects 

completed  within  budgeted  costs.2  70%  58%  54% 

2.e    The  percentage  of  costs  dedicated  to  systems 

auditing.  >  30%  21%  31% 


1  Acceptance  does  not  include  recommendations  accepted  in  principle  or  under  review. 

2  Methodology  focuses  on  all  systems  audits,  whether  completed  or  not  during  the  year.  Projects  where  actual  costs 
were  less  than  1 5%  of  budget  were  considered  not  started  and  were  excluded  from  the  count. 
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CORPORATE  INITIATIVES 


Performance  measures 


Target  Actual  Actual 

2006-07         2006-07  2005-06 


3. a    The  percentage  of  employees  expressing 

satisfaction  working  for  the  Office.1  N/A              N/A  77% 

3.b    The  percentage  of  staff  meeting  Office  targets  for 

available  time  spent  on  core  business  functions.2  100%            92%  88% 

3.c    Corporate  operating  costs  as  a  percentage  of  total 

Office  costs.  6SS    8n          16%  16% 

20% 


'This  biennial  survey  was  conducted  in  March  2006.  It  is  planned  to  be  conducted  annually  starting  in  November, 
2007. 

2  The  methodology  annually  limits  each  staff  member  to  25  hours  of  unassigned  time  and  100  hours  for  personal 
administration. 
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Staff 


The  employees  of  the  Office  of  the  Auditor  General  as  of  the  date  of  this  report,  and  students  who 
worked  over  the  summer  or  completed  a  co-op  term,  are: 


Al  Neid,  CA 

Holly  Opalinsky,  CA 

Monica  Fong 

Alex  Mosaico 

Hongxiang  Shen 

Nancy  Wang 

Alia  Gibson 

Ian  Sneddon,  CA 

Nathan  Hum 

Alissa  Klapstein 

Irina  Feldesh 

Nisha  Sachedina,  CTSA 

Amanada  Liu 

Jackie  DiLullo 

Noel  Chin 

Andrew  Lerohl 

Jacyln  Smith 

Norilyn  Santos 

Angela  Karwal 

James  Er 

Pablo  Binas 

Annie  Shiu,  CHRP 

Jane  Staples,  CA 

Pamela  Appelman 

Arlene  DeLuca 

Janice  Kuethe,  CGA 

Patrick  Dunnigan,  CISA 

Audrey  Hayward 

Jason  Song,  CA 

Patty  Hayes,  CA 

Aynour  Salama,  CA 

Jaspreet  Kaur 

Patty  Glasgow 

Barb  Thompson,  CA 

Jeff  Dumont,  CA 

Pelma  Jore 

Becky  Williams 

Jeff  Sittler,  CA 

Peter  Zuidhof,  CGA 

Ben  Zhao 

Jeremy  Reimer 

Phil  Minnaar,  CA 

Betty  LaFave,  CA,  CPA 

John  Jenkins 

Priscilla  Chen 

Brad  Ireland,  CA 

John  Margitich 

Priscilla  Lee 

Brad  Klaiber,  CA 

Karen  Hunder,  CA 

Queena  Dong 

Cam  Funnel  1 

Karen  Schmidt 

Ram  Rajoo,  CA 

Carrie  Green,  MCP 

Karen  Tran 

Ron  Meleshko,  LLB 

Chris  Poulettc 

Karim  Pradhan,  CA 

Ronda  White,  CA 

Cindy  Brown 

Kathy  Anderson 

Rosa-Maria  Schwaiger 

Cindy  Logan 

Kathy  Vasko,  CHRP 

Sergei  Pekh,  MBA 

Cornell  Dover,  CAIT/CISA 

Katy  Yuan 

Shawn  Dineen,  MCP 

Darrell  Pidner,  MBA,  CFE 

Kerry  Langford,  LLB 

Shelley  Ma 

Debbie  Bryant 

Laurie  Yuzwa,  CA 

Simon  Wong 

Deborah  Little 

Lisa  LaRocque,  CA 

Sujit  Varghese 

Diana  Potapovich 

Lin  Cui 

Susan  Smolley,  CMA 

Dimitri  Ospishchev 

Linda  Nham 

Svetlana  Akishyna 

Donna  Banasch,  CMA,  CA 

Linh  Trang 

Teresa  Wong,  CA,  CPA 

Donna  Chapman 

Lindsey  DeGusti 

Tim  Jansen,  CFE 

Doug  Zurbrigg 

Lori  Bonhage 

Tim  Lamb,  CA 

Doug  Wylie,  CMA 

Lori  Trudgeon 

Todd  Wellington,  CGA 

Ed  Ryan,  DIFA,  CFE 

Loulou  Eng,  CMA 

Valerie  Poon 

Elaine  Lu 

Marcela  Zicha-Green,  CA 

Veronica  Bruce 

Ellen  Gao 

Mary-Jane  Dawson,  CA 

Violet  En 

Elma  Handzic 

Maureen  Debaji,  CMA 

Vivek  Dharap,  CA  IT/CISA 

Emina  Hidic 

May  Lin 

Wendy  Popowich,  CA 

Eric  Leonty,  CA 

Medley  Russel 

Wing  Lai  Tarn 

Eric  Wagner,  CA 

Meriem  Aiffa 

Winnie  Leung 

Eva  Lee 

Merwan  Saher,  CA 

Yien-Win  Yip,  CA 

Evan  Ronyk 

Michael  Hoffman 

Ying  Kuang 

Fred  J.  Dunn,  FCA 

Michael  Huberdeau 

Gina  Fowler,  CPS 

Mike  Shorter,  CFE 

Graeme  Arklie,  CA 

Mike  Stratford,  CA 

Graham  Quast 

Michael  Ta 

Gurdeep  Minhas 

Michelle  Fleming,  CA 
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Accountability 


Glossary 

This  glossary  explains  key  accounting  terms  and  concepts  in  this  report. 

Responsibility  for  the  consequences  of  actions.  In  this  report,  accountability  requires 
ministries,  departments  and  other  entities  to: 


•  report  their  results  (what  they  spent  and  what  they  achieved)  and  compare  them 
to  their  goals 

•  explain  any  differences  between  their  goals  and  results 


Accountability  system 


Accrual  basis  of 
accounting 

Adverse  auditor's 
opinion 

Amortize 

Assurance 


Attest  work,  attest  audit 
Audit 

Auditor 

Auditor's  opinion 

Auditor's  report 
Business  cases 


Government  accountability  allows  Albertans  to  decide  whether  the  government  is 
doing  a  good  job.  They  can  compare  the  costs  and  benefits  of  government  action: 
what  it  spends,  what  it  tries  to  do  (goals),  and  what  it  actually  does  (results). 

A  system  designed  to  ensure  that  the  government  is  accountable  for  how  it  spends 
public  money.  The  system  requires  the  government  to: 

1 .  set  measurable  goals  and  responsibilities 

2.  plan  the  work  to  achieve  the  goals 

3.  do  the  work  and  monitor  progress 

4.  report  on  results 

5.  evaluate  results  and  provide  feedback  to  refine  or  adjust  plans 

A  way  of  recording  financial  transactions  that  puts  revenues  and  expenses  in  the 
period  when  they  are  earned  and  incurred. 

An  auditor's  opinion  that  financial  statements  are  not  presented  fairly  and  are  not 
reliable. 

To  reduce  an  amount  of  money  to  zero  over  a  certain  time. 

An  auditor's  written  conclusion  about  something  audited.  Absolute  assurance  is 
impossible  because  of  several  factors,  including  the  nature  of  judgment  and  testing, 
the  inherent  limitations  of  control,  and  the  fact  that  much  of  the  evidence  available  to 
an  auditor  is  only  persuasive,  not  conclusive. 

Work  an  auditor  does  to  express  an  opinion  on  the  reliability  of  financial  statements. 

An  auditor's  examination  and  verification  of  evidence  to  determine  the  reliability  of 
financial  information,  to  evaluate  compliance  with  laws,  or  to  report  on  the  adequacy 
of  management  systems,  controls  and  practices. 

A  person  who  examines  systems  and  financial  information. 

An  auditor's  written  opinion  on  whether  things  audited  meet  the  criteria  that  apply  to 
them. 

An  auditor's  written  communication  on  the  results  of  an  audit. 

An  assessment  a  project's  financial,  social  and  economic  impacts.  A  business  case  is 
a  proposal  that  analyses  the  costs,  benefits  and  risks  associated  with  the  proposed 
investment,  including  reasonable  alternatives.  The  province  has  issued  business  case 
usage  guidelines  and  a  business  case  template  that  the  Department  can  refer  to  in 
establishing  its  business  case  policy. 
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Capital  asset 
Capitalize 
Capital  planning 


COBIT 


Core  business 

Corporate  government 
accounting  policy 


Criteria 

Cross-ministry 

Crown 

Deferred  maintenance 

Domain 
ERP 


Exception 
Expense 


A  long-term  asset. 

To  charge  an  expense  to  a  capital  asset  account  rather  than  an  expense  account. 
A  process  to: 

•  identify  the  short-  and  long-term  capital  assets  needed  to  carry  out  core 
businesses 

•  rank  capital  projects 

•  prepare  business  cases  to  support  capital  projects 

•  determine  the  cost  and  method  of  financing  capital  projects 

Abbreviation  for  "Control  Objectives  for  Information  and  Related  Technology". 
COBIT  was  developed  by  the  Information  Systems  Audit  and  Control  Foundation  and 
the  IT  Governance  Institute.  COBIT  provides  good  practices  for  managing  IT 
processes  to  meet  the  needs  of  enterprise  management.  It  bridges  the  gaps  between 
business  risks,  technical  issues,  control  needs,  and  performance  measurement 
requirements. 

The  essential  thing  that  a  ministry  does. 

An  accounting  policy  that  the  Department  of  Treasury  Board  requires  ministries  and 
departments  to  use  in  preparing  their  financial  statements.  Accounting  policies 
include  both  the  specific  accounting  principles  an  organization  uses  and  the  ways  it 
applies  the  principles. 

Reasonable  and  attainable  standards  of  performance  that  auditors  use  to  assess 
systems. 

The  section  of  this  report  covering  systems  and  problems  that  affect  several 
ministries  or  the  whole  government. 

The  Government  of  Alberta. 

Any  maintenance  work  not  performed  when  it  should  be.  Maintenance  work  should 
be  performed  when  necessary  to  ensure  capital  assets  provide  acceptable  service  over 
their  expected  lives. 

A  logical  grouping  of  computers  and  devices  on  a  network. 

Abbreviation  for  Enterprise  Resource  Planning.  ERPs  integrate  and  automate  all  data 
and  processes  of  an  organization  into  one  comprehensive  system.  A  typical  ERP  has 
multiple  modules  within  a  computer  software  application,  standardized  hardware, 
and  a  centralized  database  used  by  all  modules  to  achieve  this  integration.  Although 
an  ERP  can  be  as  small  as  an  accounting  and  payroll  application,  the  term  ERP  is 
usually  associated  with  larger  systems  that  perform  many  functions  within  an 
organization.  Examples  of  modules  in  an  ERP,  which  formerly  would  have  been 
stand-alone  applications,  include:  Financials  (General  Ledger,  Accounts  Payable,  and 
Accounts  Receivable),  Payroll,  Human  Resources,  Purchasing  and  Supply  Chain, 
Project  Management,  Asset  Management,  Student  Administration  Systems  and 
Decision  Support  Systems.  Some  of  the  more  common  ERPs  are  PeopleSoft,  SAP, 
Great  Plains,  and  Oracle  Applications. 

Something  that  does  not  meet  the  criteria  it  should  meet — see  "Auditor's  opinion". 
The  cost  of  a  thing  over  a  specific  time. 
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(,  \  \i> 


Governance 


IMAGIS 


Internal  audit 


Internal  control 


Management  letter 


Material,  materiality 
Misstatement 

Net  realizable  value 

Outcomes 
Outputs 

Performance  measure 
Performance  reporting 
Performance  target 


Abbreviation  for  "generally  aeeepted  accounting  principles",  which  are  established 
by  the  Canadian  Institute  of  Chartered  Accountants. 

A  process  and  structure  that  brings  together  capable  people  and  relevant  information 
to  achieve  goals.  Governance  defines  an  organization's  accountability  systems  and 
ensures  the  effective  use  of  public  resources. 

Abbreviation  for  the  government's  Integrated  Management  Information  System — a 
customized  version  of  PeopleSoft.  It  is  the  main  computer  program  that  ministries 
use  for  financial  and  human  resource  information  systems. 

A  group  of  auditors  within  a  ministry  (or  an  organization)  that  assesses  and  reports 
on  the  adequacy  of  the  ministry's  internal  controls.  The  group  reports  its  findings 
directly  to  the  deputy  minister.  Internal  auditors  need  an  unrestricted  scope  to 
examine  business  strategies;  internal  control  systems;  compliance  with  policies, 
procedures,  and  legislation;  economical  and  efficient  use  of  resources;  and  the 
effectiveness  of  operations. 

A  system  designed  to  provide  reasonable  assurance  that  an  organization  will  achieve 
its  goals.  Management  is  responsible  for  an  effective  internal  control  system  in  an 
organization,  and  the  organization's  governing  body  should  ensure  that  the  control 
system  operates  as  intended.  A  control  system  is  effective  when  the  governing  body 
and  management  have  reasonable  assurance  that: 

•  they  understand  the  effectiveness  and  efficiency  of  operations 

•  internal  and  external  reporting  is  reliable 

•  the  organization  is  complying  with  laws,  regulations,  and  internal  policies 

Our  letter  to  the  management  of  an  entity  that  we  have  audited.  In  the  letter,  we 
explain: 

1 .  our  work 

2.  our  findings 

3.  our  recommendation  of  what  the  entity  should  improve  and  how  it  should  do  so 

4.  the  risks  if  the  entity  does  not  implement  the  recommendation 

We  also  ask  the  entity  to  explain  specifically  how  and  when  it  will  implement  the 
recommendation. 

Something  important  to  decision-makers. 

A  misrepresentation  of  financial  information  due  to  mistake,  fraud,  or  other 
irregularities. 

Estimated  selling  price  in  the  ordinary  course  of  business  minus  estimated  costs  of 
completion  and  sale. 

The  results  an  organization  tries  to  achieve  based  on  its  goals. 

The  goods  and  services  an  organization  actually  delivers  to  achieve  outcomes.  They 
show  "how  much"  or  "how  many". 

Indicator  of  progress  in  achieving  a  goal. 

Reporting  on  financial  and  non-financial  performance  compared  to  plans. 
The  expected  result  for  a  performance  measure. 
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Public  sector  accounting 
standards 

Public  sector  comparator 


Qualified  auditor's 
opinion 

Recommendation 


Reservation  of  opinion 
Risk 

Risk  management 
Server 

Shadow  bid 


Sole  source  contract 

Specified  auditing 
procedures 


Systems  (management) 


Systems  (accounting) 


Systems  audit 


Accounting  principles,  similar  to  GAAP,  which  apply  to  the  public  sector;  established 
by  the  Public  Sector  Accounting  Board. 

A  benchmark  to  assess  the  value  for  money  of  two  different  ways  of  constructing 
facilities  and  providing  services:  by  traditional  government  methods  and  by  a 
public-private  partnership.  The  private  sector  partner  may  design,  build,  finance, 
operate,  maintain,  and  own  the  facility.  In  a  traditional  government  model,  the 
government  would  do  all  these  things.  Public  sector  comparators  are  typically  used  in 
long-term  and  construction  projects. 

An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them,  except 
for  one  or  more  specific  areas — which  cause  the  qualification. 

A  solution  we — the  Office  of  the  Auditor  General  of  Alberta — propose  to  improve 
the  use  of  public  resources  or  to  improve  performance  reporting  to  Albertans. 

A  generic  term  for  an  adverse  auditor's  opinion  or  a  qualified  auditor's  opinion. 

Anything  that  impairs  an  organization's  ability  to  achieve  its  goals. 

Identifying  and  then  minimizing  or  eliminating  risk  and  its  effects. 

Computer  hardware  and  software  that  provides  specialized  services  such  as  data 
storage,  data  processing  or  web  hosting. 

A  bid  on  a  significant  project  that  is  a  benchmark  to  ensure  that  the  bids  of  eligible 
suppliers  are  reasonable.  A  project  owner  pays  an  expert  to  make  a  shadow  bid 
estimating  a  reasonable  amount  for  the  project.  By  making  the  shadow  bid,  the  expert 
becomes  ineligible  to  bid  on  the  project.  A  shadow  bid  is  particularly  important  if 
there  are  no  competing  bids  on  a  project. 

An  agreement  with  just  one  supplier  chosen  without  a  competitive  bidding  process. 

Actions  an  auditor  performs  to  check  certain  qualities,  such  as  reliability,  of  reported 
information  that  management  asks  the  auditor  to  check.  Specified  auditing 
procedures  are  not  extensive  enough  to  allow  the  auditor  to  express  an  opinion  on  the 
information. 

A  set  of  interrelated  management  control  processes  designed  to  achieve  goals 
economically  and  efficiently. 

A  set  of  interrelated  accounting  control  processes  for  revenue,  spending,  the 
preservation  or  use  of  assets,  and  the  determination  of  liabilities. 

To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements 
to  systems  designed  to  ensure  value  for  money. 

Paragraphs  (d)  and  (e)  of  subsection  19(2)  of  the  Auditor  General  Act  require  us  to 
report  every  case  in  which  we  observe  that: 

•  an  accounting  system  or  management  control  system,  including  those  designed  to 
ensure  economy  and  efficiency,  was  not  in  existence,  or  was  inadequate  or  not 
complied  with,  or 

•  appropriate  and  reasonable  procedures  to  measure  and  report  on  the  effectiveness 
of  programs  were  not  established  or  complied  with. 

To  meet  this  requirement,  we  do  systems  audits.  First,  we  develop  criteria  (the 
standards)  that  a  system  or  procedure  should  meet.  We  always  discuss  our  proposed 


264 


Annual  Report  of  the  Auditor  General  of  Alberta  2006-2007 


Volume  2 


Glossary 


criteria  with  management  and  try  to  gain  their  agreement  to  them.  Then  we  do  our 
work  to  gather  audit  evidence. 

Next,  we  match  our  evidence  to  the  criteria.  If  the  audit  evidence  matches  all  the 
criteria,  we  conclude  the  system  or  procedure  is  operating  properly.  But  if  the 
evidence  doesn't  match  all  the  criteria,  we  have  an  audit  finding  that  leads  us  to 
recommend  what  the  ministry  must  do  to  ensure  that  the  system  or  procedure  will 
meet  all  the  criteria. 


For  example,  if  we  have  5  criteria  and  a  system  meets  3  of  them,  the  2  unmet  criteria 
lead  to  the  recommendation. 


Unqualified  auditor's 
opinion 

Value  for  money 


Virus  signatures 


A  systems  audit  should  not  be  confused  with  assessing  systems  with  a  view  to  relying 
on  them  in  an  audit  of  financial  statements. 

An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them. 


The  concept  underlying  a  systems  audit  is  value  for  money.  It  is  the  "bottom  line"  for 
the  public  sector,  analogous  to  profit  in  the  private  sector.  The  greater  the  value 
added  by  a  government  program,  the  more  effective  it  is.  The  fewer  resources  that 
are  used  to  create  that  value,  the  more  economical  or  efficient  the  program  is. 
"Value"  in  this  context  means  the  impact  that  the  program  is  intended  to  achieve  or 
promote  on  conditions  such  as  public  health,  highway  safety,  crime,  or  farm  incomes. 
To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements 
to  systems  designed  to  ensure  value  for  money. 

A  unique  string  of  bits,  or  the  binary  pattern,  of  a  vims.  The  virus  signature  is  like  a 
fingerprint  in  that  it  can  be  used  to  detect  and  identify  specific  v  iruses.  Anti-virus 
software  uses  the  virus  signature  to  scan  for  the  presence  of  malicious  code. 


Other  resources 

The  Canadian  Institute  of  Chartered  Accountants  (CICA)  produces  a  useful  book  called.  Terminology  for 
Accountants.  They  can  be  contacted  at  CICA,  277  Wellington  Street  West,  Toronto,  Ontario,  Canada  M5V  3H2  or 
www.ciea.ca. 
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